Rooftop solar communities may soon become the latest line of cybersecurity defense for America’s vulnerable electric utility industry, providing emergency power for local consumers while supporting the grid in the event of an attack-based outage. Indeed, a key recommendation in a recent President’s National Advisory Infrastructure Council report on cybersecurity and the grid is that solar and other renewable energy-based microgrids be developed for emergency preparedness.
At the same time that solar microgrids can provide refuge from electric grid hacking, the microgrids themselves need to implement security protocols to avoid the same sort of hacking, some experts point out.
In a draft version of the NAIC report, “Surviving a Catastrophic Power Outage,” released in December, one recommendation is to “Support demonstrations of community enclaves design approaches, which may range from traditional hardening of infrastructure to microgrids that combine distributed energy resources, energy storage, and innovative consumer technologies.”
The NAIC report suggests that this can be achieved by “Deliver(ing) peer-reviewed results and lessons learned from demonstrations to provide utilities and communities with effective approaches to design, manage, operate, and fund microgrid and energy resilience capabilities.”
Some funding for such activity has already taken place. New Orleans, for example, won a grant from from the US Department of Housing and Urban Development for $141 million in unused Hurricane Sandy recovery funds “to undertake the highest priority upgrades and implement advanced microgrid pilot projects in critical sections of the city.”
Rooftop solar and larger solar arrays are vulnerable to hacking through the inverter, which often has a web link to the equipment manufacturer, which provides a monitoring service to the customer, if not a link to a community solar or community aggregation operation center. This was recently highlighted in a November report by Ridge Global, a consulting firm founded by former Homeland Security Secretary Tom Ridge.
“Because the potential for nation-state actors to tamper with inverters exists during manufacturing, in transit, or after installation, we need to continue to closely monitor those products penetrating the U.S. photovoltaic market by overseas manufacturers, particularly those that are state-owned and controlled,” Ridge said in the report.
The Ridge report noted that “The criticality of inverters to grid stability was demonstrated during recent California wildfires, where inverters automatically shut down approximately 900 megawatts of solar power generation.”
“A hacker or cyber-attacker could potentially access thousands of web-connected inverters and significantly alter the flow of power from them to the grid; in a worst-case scenario, this could cause large, sudden spikes or dips in electricity supply, disrupting a local, state or national grid’s balance and potentially causing a widespread power outage,” the Ridge report continues.
Among recommendations of the Ridge report are that, “Federal, State, and private sector entities should work together in creating compliance requirements and best practices based for photovoltaic systems, including minimum physical and cyber-security measures and a supply chain security program.”
This could be achieved through industry effort: “The U.S. photovoltaic industry should adopt a supply chain certification program to protect PV components and inverters from manufacturer to installation,” the Ridge report says.
“Public and private investments need to increase to modernize and secure the U.S. electric grid, including secure photovoltaic technologies, to a level commensurate with existing threats. DHS should lead immediate development of a cross-sector program to provide real-time visibility into cyber-security incidents that threaten critical U.S. infrastructure in order to protect against cascading impacts,” the Ridge report concludes.
The Ridge recommendations are echoed in the NAIC report, which suggests that Congress “authorize catastrophic power outages as a high-priority mission for three key agencies: the Department of Energy, namely the Office of Electricity and Office of Cybersecurity, Energy Security, and Emergency Response; the Department of Homeland Security (DHS), namely the Federal Emergency Management Agency and the Cybersecurity and Infrastructure Security Agency; and the Department of Defense, namely U.S. Northern Command, U.S. Indo-Pacific Command, and the Defense Threat Reduction Agency.”
The NAIC report suggests that this catastrophic power outage preparedness authority should be underwritten with “specific budget appropriations to provide the supporting resources necessary to achieve this mission, with clear roles and responsibilities identified for each agency.”
For Homeland Security, action has taken place rapidly. The Cybersecurity and Infrastructure Security Agency Act of 2018 (The CISA Act) became law on November 16, 2018, reorganizing the National Protection and Programs Directorate in DHS to become the new Cybersecurity and Infrastructure Security Agency (CISA). This new agency is to be headed by the Director of Cybersecurity and Infrastructure Security, who will be an Under Secretary of the Department of Homeland Security.
CISA is tasked with leading the national effort to defend critical infrastructure against physical and cyber threats, and will comprise three divisions: the Cybersecurity Division, the Infrastructure Security Division, and the Emergency Communications Division.
View all SMART GRID Bulletins click here