PV Cyber Security Research (Final Report)

Extensive deployment of interoperable distributed energy resources (DER) on power systems is increasing the power system cyber security attack surface. National and jurisdictional interconnection standards require DER to include a range of autonomous and commanded grid support functions which can drastically influence power quality, voltage, and bulk system frequency. This project was split into two phases. The first provided a survey and roadmap of the cybersecurity for the solar industry. The second investigated multiple PV cybersecurity research and development (R&D) concepts identified in the first phase. In the first year, the team created a roadmap for improving cybersecurity for distributed solar energy resources. This roadmap was intended to provide direction for the nation over the next five years and focused on the intersection of industry and government and recommends activities in four related areas: stakeholder engagement, cyber security research and development, standards development, and industry best practices. At the same time, the team produced a primer for DER vendors, aggregators, and grid operators to establish a common taxonomy and describe basic principles of cyber security, encryption, communication protocols, DER cyber security recommendations and requirements, and device-, aggregator-, and utility-level security best practices to ensure data confidentiality, integrity, and availability. This material was motivated by the need to assist the broader PV industry with cybersecurity resilience and describe the state-of-the-art for securing DER communications. Lastly, an adversary-based assessment of multiple PV devices was completed at the Distributed Energy Technologies Laboratory at Sandia National Laboratories to determine the status of industry cybersecurity practices. The team found multiple deficiencies in the security features of the assessed devices. In the second year, a set of recommendations was created for DER communication protocols— especially with respect to the state-of-the-art requirements in IEEE 2030.5. Additionally, several cybersecurity R&D technologies related to communications-enabled photovoltaic systems were studied to harden DER communication networks. Specifically, the team investigated (a) using software defined networking to create a moving target defense system for DER communications, and (b) engineering controls that prevent misprogramming or adversary action on DER devices/networks by disallowing setpoints that will generate unstable power system operations.