Distributed Energy Resources and SCADA Systems – Security Choices for the Future
September 30, 2019
As the U.S. bulk power system continues to focus on distributed energy resources (DER) for more of our overall electricity needs, the ability of the grid operators, power marketers and reliability coordinators to maintain a secure supply will be increasingly challenged. This document reviews the various DER sources and the challenges in maintaining cybersecurity situational awareness and a stable risk profile.
Power Generation – What will it look like in 2050
The U.S. Energy Information Administration[i] has projected the continued increase of power generation from renewables and a decrease from coal and nuclear. As the economics of generation continue to change, these projections may become even more pronounced.
Correspondingly, the number of renewable generation locations required to achieve these projections will increase significantly. The power density of solar PV and wind is much lower than fossil fuels or even hydroelectric. The National Renewal Energy Laboratory (NREL)[ii] studied the density of solar PV of various designs in 2013. There are many factors involved including types of collectors, fixed vs. axis tracking and others, but the overall power density average is between 6 to 8 acres of land per megawatt of AC power generated. Wind requires even more land, with NREL estimating 12-56 hectares per megawatt for an average wind farm with modern generators[iii]. While this density will improve with better technology, there is no doubt that the number of physical installations required to increase the amount of renewable energy on the grid will need to be significantly higher in 2050.
Increased Attack Surface
The increase in the number of physical installations means a corresponding increase in the number of SCADA systems required to manage and control the generation and interconnection of these generation systems. With the higher number of interconnections, there is a related increase in complexity of the overall grid control system. These unavoidable trends of higher number of generation systems and increased complexity of control systems results in higher cybersecurity risk across the board for renewables and the need for a strategic approach for management of renewable facilities across the nation[iv].
The SCADA system market has many different components and vendors involved in many different applications, even within the electric power delivery market, so developing a management approach that has a common architecture and approach is difficult. There are no software application packages available that universally support all the management and operational requirements across the SCADA system market. Electric utility owners and operators will need to develop a SCADA management architecture and roadmap that focuses on the ability to scale in size and stay efficient, as well as develop a suite of applications to meet the operational and security requirements. Figure 2 is based on a report[v] from Sandia National Laboratories issued in December 2017.
Multiple Stakeholders and Administrators – Who’s Accessing the SCADA System?
As the number of DER installations increases, so does the number of organizations and personnel involved in managing the systems. How does the industry manage the risk of an increasing workforce that requires ever-sophisticated training to address not only the technology and growing complexity of the interconnected grid, but also the increasing dynamic threat from ransomware, nation-state attacks and other cybersecurity threats?
One security control that can provide risk reduction and benefits tremendously from a centralized service approach is electronic access control. Most SCADA devices now support some form of authentication service, such as RADIUS, LDAP or Active Directory, and for those devices that do not, there are authentication proxy devices that can enable this functionality.
The security benefits include the ability to update user information across all devices with a few commands, implement role-based access control with appropriate privileges for each device, and the associated accounting, logging and audit trails that are maintained with the centralized service. Of course, if the centralized service is not available due to communications or network issues, especially in remote locations, dispatching an engineer or technician to perform local actions and/or fix the communications issues is required to repair and maintain control.
Supply Chain – How Diverse are DER Control Systems?
An article in IEEE Spectrum showed how a single utility and vendor can reprogram many microinverters in a single day[vi] to meet growing needs for customers. This is an incredible accomplishment that demonstrates the ability of distributed systems to scale across an entire service area. However, it also indicates that a malicious cyber attack may be able to use the same technology and access to cause an outage or, even worse, damage a large amount of equipment.
The strategic roadmap and architecture need to include multiple solutions for operations and management of DER systems to ensure that one authorized party, regardless of how trustworthy it may be, does not have the authority to impact widespread segments of the power grid.
Operational Awareness – Is This Normal or Not?
As the modern electric grid grows more complex, the ability for utility operations staff to determine the difference between a normal operational activity and a malicious intruder or attack becomes more difficult. In August 2019, the United Kingdom “suffered a power outage that affected more than 800,000 customers.”[vii] The utility said it was certain that the power failure had not been the result of malicious action or a cyber attack. The British regulator demanded an investigation to conclusively determine the cause of the outage. Considering that minimal cybersecurity forensics are in place and the number of interconnections in the UK grid, dismissing a cybersecurity event as the cause so early into the investigation is questionable.
With even more external organizations being connected and involved in DER operations in the future, it will become increasingly difficult to determine the cause of future incidents.
Confidentiality and Trust
The common triad of principles for a secure system is defined as confidentiality, integrity and availability (CIA). In traditional SCADA systems, availability and integrity are always a higher priority than confidentiality. However, with DER and many different parties engaged in the overall process of generating and distributing electricity, including residential consumers, the need for confidentiality and, perhaps more important, an enabling technology for transactive energy – starts to become more important.
The primary way to achieve confidentiality for information is to use encryption at rest and during transit. Since most current SCADA systems are contained to internal networks and are primarily used to transfer device status information to a central energy management system, the information traveling across the network isn’t very interesting to typical intruders and is rarely encrypted. However, as we have more distributed SCADA systems using several various communication methods from a wide variety of service providers, the need to include more sensitive information along with typical SCADA data points is becoming more common[viii].
There are several different ways to protect this information, including traditional Virtual Private Networks (VPNs) between facilities that rely on digital certificates for authentication, and new technologies such as blockchain that may enable a whole new way to trade energy directly between participants[x]. All these mechanisms need an underlying trust model that satisfies all engaged parties that the information is protected – VPNs use X.509 certificates while blockchain uses the digital public ledger that gives the technology its name. In any case, confidentiality and the various technologies used to implement it will be critical to enable the potential of DER in supplying the majority of the electricity on the grid by 2050[xi].
DER installation will increase in number and complexity as they replace more coal and nuclear plants as they age and are decommissioned. There are several areas in cybersecurity that require attention as this transition moves forward:
- Developing a strategic roadmap and architecture that scales to meet the anticipated growth will provide a method to manage cybersecurity risks.
- Controlling who has access to DER SCADA systems and what level of privilege each role of users has provides accountability and audit trails needed for effective cybersecurity risk management.
- Ensuring multiple vendors are qualified to compete in the DER SCADA market will provide diversity in the supply chain and ensure that a single entity does not have sufficient privilege to cause a widespread DER outage.
- Training staff to recognize the differences between issues caused by the operational environment rather than malicious actors will help prevent additional investigations by regulators and increase the level of trust that customers have in the utilities.
- Maintaining confidentiality of information will become more important as the move to transactive energy becomes the normal way of doing business with the DER stakeholders.
[iv] Department of Energy, Quadrennial Energy Review (QER), “Transforming the Nation’s Electricity System, Chapter 4” Jan. 6, 2017, https://www.energy.gov/sites/prod/files/2017/02/f34/Chapter%20IV–Ensuring%20Electricity%20System%20Reliability%2C%20Security%2C%20and%20Resilience.pdf
[v] Lai, Christine; Jacobs, Nicolas; Hossain-McKenzie, Shamina; Carter, Cedric; Cordiero, Patricia; Onunkwo, Ifeoma; Johnson, Jay, “Cyber Security Primer for DER Vendors, Aggregators, and Grid Operators,” Sandia National Laboratories, December 2017, https://www.researchgate.net/publication/322568288
[vi] Fairley, Peter, “800,000 Microinverters Remotely Retrofitted on Oahu—in One Day’” February 5, 2015, https://spectrum.ieee.org/energywise/green-tech/solar/in-one-day-800000-microinverters-remotely-retrofitted-on-oahu
[vii] Weiss, Joseph, “We can’t detect a cyber attack that trips a plant, but we immediately identify an outage as not being a cyber attack?,” August 12. 2019, https://www.controlglobal.com/blogs/unfettered/we-cant-detect-a-cyber-attack-that-trips-a-plant-but-we-immediately-identify-an-outage-as-not-being-a-cyber-attack/.
[viii] Nguyen, Hieu Trung; Battula, Swathi; Takkala, Rohit Reddy; Wang, Zhaoyu; and Tesfatsion, Leigh, “Transactive Energy Design for Integrated Transmission and Distribution Systems” (2018). Economics Working Papers: Department of Economics, Iowa State University. 18004. https://lib.dr.iastate.edu/econ_workingpapers/41
[ix] Mason, Andrew, “IPSec Overview Part Four: Internet Key Exchange,” February 2002, http://www.ciscopress.com/articles/article.asp?p=25474&seqNum=7
[x] “Trading Energy: Will Blockchain disrupt the energy industry?,” March 26, 2019, https://hackernoon.com/trading-energy-will-blockchain-disrupt-the-energy-industry-34a6a9e90112.
[xi] Qi, Junjian & Hahn, Adam & Lu, Xiaonan & Wang, Jianhui & Liu, Chen-Ching. (2016). Cybersecurity for Distributed Energy Resources and Smart Inverters. IET Cyber-Physical Systems: Theory & Applications. 1. 28-39. 10.1049/iet-cps.2016.0018.