This document presents a security risk assessment to distributed energy systems, wind farms, and solar parks.
The use of renewable energy in the European grid is increasing. In 2019 alone, renewables already generated 34,5% of Europe’s electricity. Distributed systems contributed significantly: Photovoltaic systems led the way with under one megawatt of generation capacity. Their installed base has already reached 80,9 GW in the EU-27. Wind farms and solar parks contributed an additional 168,7 GW and 38 GW, respectively. Most of these systems connect to the medium voltage or low voltage distribution grids.
Each area of the European grid is prepared to support losses up to a certain amount. In Central Europe for example, this amounts to three gigawatts. This means that an attacker needs to target only a small number of installed systems to reach the critical amount. Thousands of distributed systems can be reached remotely. At the same time, there are already multiple wind farms and solar parks that have over 300 MW of installed capacity. This means that both remote and physical, targeted attacks may pay off on their own for a malicious actor.
During the last years, several attacks against electricity companies became public. The attacks in Ukraine in 2015 and 2016 significantly affected the grid. It is known that some nation-states are building offensive cybersecurity capabilities, and some have already been suspected of being involved in such attacks. That is why we can say with certainty that there are motivated and capable attackers out there who pose a significant risk to the grid. To them, distributed systems, wind farms, and solar parks could provide a simpler attack path than other systems.
Successful attacks can affect multiple parties differently. For owners, it can make it difficult to recover their investment. Manufacturers, installers, and O&M providers can incur unexpected costs, suffer reputational damage that affects future business, and be accused of failing in due care or due diligence. Grid operators can fail to meet their quality-of-service obligations, bringing legal implications or added costs. Cascading effects may hit society, leading to the failure of multiple critical infrastructures, and causing loss of life.
This document assess the security risks in distributed systems to confirm that the security measures proposed in DR-201-2020: Security architecture for DER systems sufficiently mitigate these risks.