UL, NREL unveil DERs cybersecurity report, call for industry standards to protect against threats

Facebook
Twitter
LinkedIn
Reddit
Email
The report noted how the market shift towards DERs in the US was increasing the need for industry cybersecurity standards. Image: UL.

Safety and certification company UL and the US Department of Energy’s (DOE) National Renewable Energy Laboratory (NREL) have released a report into the cybersecurity of US interconnected grid edge devices and inverter-based resources that calls for security standards to be established to counter potential threats.

The report pointed to a “market shift from utility-scale to distributed generation”, meaning greater protection of distributed energy resources (DERs) is required to ensure the security of those assets and the wider US grid system from cyberattacks.

This article requires Premium SubscriptionBasic (FREE) Subscription

Unlock unlimited access for 12 whole months of distinctive global analysis

Photovoltaics International is now included.

Not ready to commit yet?
  • Regular insight and analysis of the industry’s biggest developments
  • In-depth interviews with the industry’s leading figures
  • Unlimited digital access to the PV Tech Power journal catalogue
  • Unlimited digital access to the Photovoltaics International journal catalogue
  • Access to more than 1,000 technical papers
  • Discounts on Solar Media’s portfolio of events, in-person and virtual

Or continue reading this article for free

It said DERs depend on advanced computer systems in both the information technology (IT) and operational technology (OT) space, which could be potentially infiltrated by common cyberattacks, such as eavesdropping, replay, man-in-the-middle (MITM) attacks, denial-of-service (DoS) attacks and more.

“To mitigate the effect of these potential attacks, cybersecurity certification standards and programs need to be established,” said the report, adding that a security standard would support “DER adoption into the grid without risk of compromising grid security.”

While the report will be used to create a “voluntary UL cybersecurity certification standard for DER stakeholders”, there are also plans to develop a future equipment standard and create a market value for cybersecurity certification to motivate industry stakeholders to adopt more secure systems.

A range of DERs are susceptible to cyberattacks, such as electric vehicles (EVs) and wind plants, but solar PV is exposed because of the increasing progression of smart inverter technologies that communicate directly with the grid network. The report said the most common attack vector for solar PV was through monitoring and control capabilities followed by sensor measurements which can be altered to manipulate voltage.  

UL and NREL performed two certification tests on solar PV inverters. The first was performed on industry standard PVs, while the second test was performed on PVs running an intrusion detection communication device (“bump-in-the-wire”) solution called DERCyST.

The tests, which assessed 10 different cybersecurity functionalities, found that “attacks can be mitigated by incorporating software and services, such as DERCyST in Test 2, which enable DERs to pass the certification recommendations into the DER environment”, while Test 1 exposed vulnerabilities in the average industry PV inverter.

The report calls for a ‘defence-in-depth’ approach to cybersecurity that has long been used to secure sophisticated and sensitive IT systems. Under the approach, if an attack were to breach one layer of defence, it would be stopped by a subsequent layer. Each of the 10 layers is described in depth in the report.

UL has reviewed and approved the recommended functionalities, validating their practicality, integrity and use for industry. “UL’s support for this report will accelerate the adoption of the certification recommendation features to a UL certification program and a cybersecurity standard for DERs,” said the report.

“Currently, there are no cybersecurity certification requirements to which manufacturers and vendors can certify their DER and IBR devices against an established and widely adopted cybersecurity certification program,” said Kenneth Boyce, senior director for Principal Engineering, Industrial, group at UL.

“The development of these new cybersecurity certification requirements will provide a single unified approach that can be taken as a reference for performing the testing and certification of DERs before being deployed and while in the field.”

The cybersecurity certification recommendations were informed through working group collaborations among NREL, Sandia National Laboratories, the SunSpec Alliance and “industry partners”.  

PV Tech has written about the importance of cybersecurity to the solar industry in Volume 24 of PV Tech Power. The full article can be read here.

7 October 2025
San Francisco Bay Area, USA
PV Tech has been running an annual PV CellTech Conference since 2016. PV CellTech USA, on 7-8 October 2025 is our third PV CellTech conference dedicated to the U.S. manufacturing sector. The events in 2023 and 2024 were a sell out success and 2025 will once again gather the key stakeholders from PV manufacturing, equipment/materials, policy-making and strategy, capital equipment investment and all interested downstream channels and third-party entities. The goal is simple: to map out PV manufacturing in the U.S. out to 2030 and beyond.
21 October 2025
New York, USA
Returning for its 12th edition, Solar and Storage Finance USA Summit remains the annual event where decision-makers at the forefront of solar and storage projects across the United States and capital converge. Featuring the most active solar and storage transactors, join us for a packed two-days of deal-making, learning and networking.
16 June 2026
Napa, USA
PV Tech has been running PV ModuleTech Conferences since 2017. PV ModuleTech USA, on 16-17 June 2026, will be our fifth PV ModulelTech conference dedicated to the U.S. utility scale solar sector. The event will gather the key stakeholders from solar developers, solar asset owners and investors, PV manufacturing, policy-making and and all interested downstream channels and third-party entities. The goal is simple: to map out the PV module supply channels to the U.S. out to 2027 and beyond.

Read Next

August 29, 2025
US-based climate insurance provider kWh Analytics has launched a new renewable energy insurance cover for extreme weather events.
August 29, 2025
US grid interconnection agreements grew by 33% in 2024, reaching 75GW, with three-quarters signed for solar PV and battery energy storage system (BESS) projects, according to a new report from energy market analyst Wood Mackenzie.
Premium
August 29, 2025
PV Tech Premium hears from Renewable Properties and Silicon Ranch about the new 'start of construction' rules for US solar projects.
Premium
August 28, 2025
US solar companies could potentially pay “tens of billions” of dollars in retroactive duties on products imported from Southeast Asia between June 2022 and June 2024, following a decision from the US Court of International Trade (CIT).
August 28, 2025
Boviet Solar has completed exterior construction work on its 3GW PV cell manufacturing facility in Greenville, Pitt County, North Carolina. 
August 27, 2025
The governor of New Jersey, Phil Murphy, has signed a new legislation that seeks to build 3GW of new community solar by 2029.

Subscribe to Newsletter

Upcoming Events

Solar Media Events
September 16, 2025
Athens, Greece
Solar Media Events
September 30, 2025
Seattle, USA
Solar Media Events
October 1, 2025
London, UK
Solar Media Events
October 2, 2025
London,UK
Solar Media Events
October 7, 2025
Manila, Philippines