UL, NREL unveil DERs cybersecurity report, call for industry standards to protect against threats

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email
The report noted how the market shift towards DERs in the US was increasing the need for industry cybersecurity standards. Image: UL.

Safety and certification company UL and the US Department of Energy’s (DOE) National Renewable Energy Laboratory (NREL) have released a report into the cybersecurity of US interconnected grid edge devices and inverter-based resources that calls for security standards to be established to counter potential threats.

The report pointed to a “market shift from utility-scale to distributed generation”, meaning greater protection of distributed energy resources (DERs) is required to ensure the security of those assets and the wider US grid system from cyberattacks.

It said DERs depend on advanced computer systems in both the information technology (IT) and operational technology (OT) space, which could be potentially infiltrated by common cyberattacks, such as eavesdropping, replay, man-in-the-middle (MITM) attacks, denial-of-service (DoS) attacks and more.

“To mitigate the effect of these potential attacks, cybersecurity certification standards and programs need to be established,” said the report, adding that a security standard would support “DER adoption into the grid without risk of compromising grid security.”

While the report will be used to create a “voluntary UL cybersecurity certification standard for DER stakeholders”, there are also plans to develop a future equipment standard and create a market value for cybersecurity certification to motivate industry stakeholders to adopt more secure systems.

A range of DERs are susceptible to cyberattacks, such as electric vehicles (EVs) and wind plants, but solar PV is exposed because of the increasing progression of smart inverter technologies that communicate directly with the grid network. The report said the most common attack vector for solar PV was through monitoring and control capabilities followed by sensor measurements which can be altered to manipulate voltage.  

UL and NREL performed two certification tests on solar PV inverters. The first was performed on industry standard PVs, while the second test was performed on PVs running an intrusion detection communication device (“bump-in-the-wire”) solution called DERCyST.

The tests, which assessed 10 different cybersecurity functionalities, found that “attacks can be mitigated by incorporating software and services, such as DERCyST in Test 2, which enable DERs to pass the certification recommendations into the DER environment”, while Test 1 exposed vulnerabilities in the average industry PV inverter.

The report calls for a ‘defence-in-depth’ approach to cybersecurity that has long been used to secure sophisticated and sensitive IT systems. Under the approach, if an attack were to breach one layer of defence, it would be stopped by a subsequent layer. Each of the 10 layers is described in depth in the report.

UL has reviewed and approved the recommended functionalities, validating their practicality, integrity and use for industry. “UL’s support for this report will accelerate the adoption of the certification recommendation features to a UL certification program and a cybersecurity standard for DERs,” said the report.

“Currently, there are no cybersecurity certification requirements to which manufacturers and vendors can certify their DER and IBR devices against an established and widely adopted cybersecurity certification program,” said Kenneth Boyce, senior director for Principal Engineering, Industrial, group at UL.

“The development of these new cybersecurity certification requirements will provide a single unified approach that can be taken as a reference for performing the testing and certification of DERs before being deployed and while in the field.”

The cybersecurity certification recommendations were informed through working group collaborations among NREL, Sandia National Laboratories, the SunSpec Alliance and “industry partners”.  

PV Tech has written about the importance of cybersecurity to the solar industry in Volume 24 of PV Tech Power. The full article can be read here.

14 June 2022
Join us in Napa to unlock the key to reliable PV module supply to the U.S. market in 2022 & 2023. We'll also be gathering the main players in the US solar market for some wine tasting!

Read Next

May 13, 2022
Retail giant IKEA has partnered with US residential solar installer SunPower to offer home PV solutions in the US.
May 11, 2022
Canadian module manufacturer Heliene has seen unprecedented demand for its modules following the US Department of Commerce’s (DOC) decision to investigate alleged anti-dumping and circumvention (AD/CVD) by solar manufacturers in Thailand, Vietnam, Malaysia and Cambodia, which continues to spread chaos across the US solar sector.
May 11, 2022
solar tracker manufacturer FTC Solar has withdrawn its guidance for the year and warned of material uncertainties caused by the US AD/CVD investigation.
PV Tech Premium
May 11, 2022
PV Tech Premium speaks with BIPV company SunStyle about their expansion into the US market and how they believe the time is right for the technology in the US.
May 10, 2022
Independent power producer (IPP) Cypress Creek Renewables has hired Jeffrey Meigel as its new chief investment officer (CIO).
May 10, 2022
The California Public Utilities Commission (CPUC) has admitted defeat regarding its contentious proposed changes to the state’s net metering laws and has asked for feedback on how a better designed system could work as it seeks to reboot the process.

Subscribe to Newsletter

Upcoming Events

Solar Media Events
May 17, 2022
Lisbon, Portugal
Upcoming Webinars
May 17, 2022
4:00 PM (CEST) | About 30 minutes
Solar Media Events
June 14, 2022
Napa, USA
Solar Media Events
October 4, 2022
New York, USA