This report recommends security requirements for procurement of distributed energy resources (DER) controllers.
As alternative energy sources, such as wind, solar or heat, have become sustainable for small scale use, they are being placed in a wide variety of locations. These DER can be connected to high, medium, or low voltage grid, contributing significantly to the electricity mix. A large loss of DER generation can severely disrupt the electrical grid.
DER are exposed to significant cyber risks. Their operations and maintenance are supported by information systems. Many activities are executed through remote access, especially in larger DER. Cyber criminals can attack the systems or communications to obtain money or information from some party. Nation states can damage the systems or cause a black-out by switching off enough locations.
A DER controller is the most critical architecture component in field locations. It is placed in the perimeter of a field location. It exchanges information with remote systems through untrusted networks. It uses that information to control the generation process. It exists in systems of all sizes. It can be called by another name or be integrated with other components.
This document recommends security requirements to procure DER controllers that are protected against these risks by design and by default. The requirements cover:
• physical threats and threats from other components in the local network;
• threats from the central systems and other threats in the external networks;
• the development and support processes;
• the relationship with the supplier.