This paper asserts the need to consider distributed energy resources (DER) parties that remotely control hundreds of megawatts of electricity as critical, and to require these parties to take security measures like large grid operators or producers.
As alternative energy sources, such as wind, solar or heat, have become sustainable for small scale use, they are being placed in a wide variety of locations. These DER can be connected to high, medium, or low voltage grid, contributing significantly to the electricity mix. A large loss of DER generation can severely disrupt the electrical grid.
DER are exposed to significant cyber risks. Their operations and maintenance are supported by information systems. Many activities are executed through remote access, especially in larger DER systems. And grid operators are connecting to larger DER systems to monitor and control their generation. Advanced threats, especially nation states, can attack the systems or communications to cause black-out scenarios.
However, DER parties are often not ready to manage the societal risk of a cyberattack. They need to compete in the market and will be concerned about the business risks to themselves. They do not have a legal obligation to mitigate societal risks. Still, if they remotely control hundreds of megawatts of electricity, then their systems and operations are critical and they should be required to take the necessary security measures.
This document profiles critical DER parties and the threats to them. It recommends requiring these parties to protect their systems and processes against cyber-attacks. They are suggested setting up an information security management system to structurally manage the risks. With this approach, they would align with many grid operators, contributing to a harmonized, standards-based approach throughout the electricity sector.