The Biden administration’s efforts to improve the U.S. grid’s cybersecurity defenses face a patchwork of state-level regulations that could derail federal efforts to protect rapidly growing renewable energy resources from hackers.
The Departments of Homeland Security and Commerce last month released “best practices” aimed at strengthening the security of critical infrastructure, following a July presidential memo that called for voluntary goal posts to combat cybercrime. ‘woefully insufficient’ surveillance (Energy wire, July 29).
But experts warn that as distributed resources like solar and wind power are added to the U.S. power grid, the growing connectivity between power systems offers new opportunities for hackers to wreak havoc on power grids that are beyond the reach of the White House but fall under jurisdiction. state rules.
âThe Biden administration has done a pretty good job of drawing attention to all of these issues,â said Richard Mroz, senior advisor to the network security advocacy group Protect Our Power and former chairman of the New Jersey Board of Public. Utilities. “The challenge, however, with the power grid on cybersecurity issues falls within the dichotomy of jurisdiction in the United States over the [bulk] electrical system in relation to the distribution system. ”
The network cybersecurity regulations of the Federal Energy Regulatory Commission and the North American Electric Reliability Corp. do not always apply to small generators like wind turbines or rooftop solar panels. But these technologies are generally more prone to hacking threats than the centralized, tightly-guarded power plants and transmission lines that make up the mass electricity grid.
âWe’re seeing a huge amount of change with very, very little regulatory oversight for these technologies,â said Tobias Whitney, vice president of cybersecurity firm Fortress Information Security.
Many distributed resources are “still relatively new, so some don’t have to follow the cybersecurity standards set by NERC,” said Whitney, a former senior executive at the nonprofit network supervisor.
The stakes are high: U.S. intelligence officials have warned that state-backed hackers could cause temporary disruption of critical infrastructure networks (Energy wire, April 14). Many utilities have limited resources for cyber investments, and different state rules can pose challenges for large companies.
âThere are normally 50 different flavors across the state. Even within states, given the different regulatory jurisdictions, it’s very different,â said Kevin Jones, director of the Institute for Energy and environment of Vermont Law School.
However, some state utility regulators say they have felt left out of some of President Biden’s recent measures, including a national security note on improving cybersecurity for industrial control systems like those that underpin the network. The National Association of Regulatory Services Commissioners called for more dialogue between the federal government and state authorities to fully protect the network.
Lynn Costantini, deputy director of NARUC, said she was encouraged by the “momentum” on cybersecurity at the White House, but noted that the group had not heard from the administration.
“My disappointment was in the definition of public-private partnerships: to the administration, it seemed to me that the ‘public’ part of the partnerships was the federal government,” said Costantini.
“I think they’re missing out on a tremendous opportunity on the other side of government, and that is state government.”
Dianne Solomon, chair of critical infrastructure at NARUC, said states provide much of the data on cyber threats and distributed defensive measures through Information Sharing and Analysis Centers, or ISACs. âSo if you’re looking to connect the dots and you leave one of the main points off the map, I see that as problematic,â Solomon said.
State utility regulators typically approve all expenses that regulated utilities pass on to electricity customers, meaning they play a key role in cybersecurity spending.
âI think one of the main issues is how to pay for it,â Solomon said. “These are the things that we deal with on a regular basis, and I think if you leave us out of those conversations you can find solutions – but how you apply them could be a problem if you don’t have that regulator or these states at the table. â
Asked about NARUC’s concerns, a National Security Council official pointed out that the group participates in the government’s Energy Sector Coordination Council, which includes the NSC as well as the Office of the Director of National Intelligence, among others. federal, state and local officials.
The official also cited a “cooperation agreement” with the Department of Energy that led to “DOE-funded cybersecurity training for more than 400 utility commissioners, commission staff and other officials in charge of state energy “.
Of Biden’s note, the official said the goals were developed with “as much interagency and industry input as possible for the initial timeline using existing coordinating bodies,” calling state regulators and bureaus of “critical voice” energy.
‘A mixed bag’
Solomon said new technologies like solar and wind power are “a major problem for our organization and for utility regulators.”
As distributed energy resources advance rapidly, concerns about the cybersecurity of these systems “have reached the office level of the C suite,” Solomon added.
Unlike large power plants and high voltage transmission lines, distribution power grids that provide electricity to homes and businesses are supervised at the state level. How states and utilities manage the cybersecurity of these systems – and the small-scale renewable resources connected to them – can vary widely.
âA distribution system when you speak in New York for a large company like ConEd is going to be very different from a distribution system in a rural area which might be preferred. by a cooperative. So it’s really a mixed bag, âsaid Jones of Vermont Law, who was the project leader on a 2019 article on distribution-level cybersecurity.
Jones said a major barrier to investing in cybersecurity is cost. A tariff case can be approved to add millions of dollars to cybersecurity investments, but the revenue can be taken elsewhere.
Whether it is to prevent cybersecurity or to harden itself in the event of severe weather, the problem is that these investments have financial and legal implications for the entity that is actually supervising that an acceptable rate level ultimately falls on the company. State, âJones said. “The goal of the public power entity is to provide service at an affordable price, and they don’t care about the return on equity investment for their shareholders.”
This means that the cyber readiness of utilities with distribution systems can vary widely, depending on the size of the business and its ability to cover costs in the event of a cyber attack.
Focus on the wind
Wind power, for example, is one of the fastest growing additions to the distribution network, where facilities are typically not subject to a cybersecurity review.
“Small applications, distributed wind turbines, they can be more vulnerable because they don’t have to meet such a strict cybersecurity standard,” said Jake Gentle, senior power systems engineer for the National Laboratory of the Idaho from DOE.
The INL said in a recent guide that distributed wind systems – small-scale projects based near homes or businesses that use their electricity – have the potential to be added to nearly half of all U.S. buildings. .
A cyber attack on such networks may not cause outages, but experts say hackers could still pose a threat to rural communities.
âThe impact on the bulk power system or on our national power grid is tiny. It’s virtually nil,â said Gentle. “From a local perspective – locally generated, consumed locally – this impact could be very high.”
INL researchers have called for further development of cybersecurity standards for distributed systems.
One of the goals of the report was to highlight existing best practices, Gentle said. Professional organizations like the Institute of Electrical and Electronics Engineers have a plethora of cyber recommendations for distributed technologies, some of which can be applied to wind power.
âWe’re not starting from scratch,â said Megan Culler, an energy engineer specializing in distributed energy resources, cybersecurity and resilience at INL. “Even though the standards and guidelines exist, the motivation isn’t necessarily there. So we want to highlight why we need safety even if you don’t have to.”
Yet securing broadly distributed energy systems is far too complicated for global standards to meet the challenge, the INL said.
âNo single cybersecurity standard can meet all the security requirements, security controls, resiliency strategies and technologies, especially for a field as complex as DER,â said INL.
Cyber ââattacks are a major problem for renewables, and increasingly connected systems mean that an unsecured network can quickly become the source of a major attack, experts say.
âPeople will say to me, ‘Well, solar arraysâ¦ aren’t that complicated; what kind of damage can you really do? ‘ Said Leo Simonovich, head of industrial cybersecurity at Siemens Energy. âBut we saw examples of solar farms where it all started with a turbine, and then we turned around and within hours, six solar farms were affected by a single malware. “