cyber security requirements and recommendations for...

1

October,2015

Cyber Security Requirements and Recommendations for CSI RD&D Solicitation #4 Distributed Energy Resource Communications Jordan Henry, Rick Ramirez, Sandia National Laboratories Frances Cleveland, Xanthus Consulting International Annabelle Lee, Brian Seal, Electric Power Research Institute Tom Tansy, Bob Fox, Anil Pochiraju, SunSpec Alliance

CSIRD&DSOLICITATION#4CyberSecurityRecommendations ii

CSIRD&DSOLICITATION#4CyberSecurityRecommendations iii

Cyber Security Requirements and Recommendations for CSI RD&D

Solicitation #4 Distributed Energy Resource Communications

Jordan Henry, Frances Cleveland, Annabelle Lee, Rick Ramirez, Brian Seal, Tom

Tansy, Bob Fox, Anil Pochiraju

Abstract ThisCaliforniaSolarInitiative(CSI)RD&DSolicitation#4DistributedEnergyResource(DER)cybersecuritydocumentprovidescybersecurityrecommendationsforresidential inverterbasedDERassetsthatusearemovablecommunicationsmodule.ThecommunicationsmoduleisaCEA2045snapinmodulethatisresponsiblefortranslatingwideareanetwork(WAN)communications,suchasOpenADR2.0bandIEEE2030.5(SEP2),intoSunSpecModbusmessageswhicharesupportedbymost residential DER systems. Specific communications addressed in the scope includecommunications between a utility or aggregator/vendor and the inverter via the CEA2045communicationmodule.ThisincludesthelocalinterfacebetweenthemoduleandtheDERsystemitself.Thecybersecurityrecommendationsarebasedonimpactlevelsoflow,moderate,andhighforthevarioussecurityrequirementsandsecurityobjectives.Threatanalysis,functionalscoring,bestpractices,andpracticalconsiderationswereallconsideredduring thedevelopmentof therecommendations.

CSIRD&DSOLICITATION#4CyberSecurityRecommendations v

Table of Contents

1 EXECUTIVESUMMARY.............................................................................................................112 BACKGROUND..........................................................................................................................21

2.1 Scope................................................................................................................................212.2 Objectives.........................................................................................................................232.3 UtilityDERCommunicationArchitecture........................................................................24

3 INCORPORATIONOFINDUSTRYSTANDARDS..........................................................................31

3.1 CyberSecurityHighLevelGuidance................................................................................313.2 CommunicationApplicationLayerCyberSecurityStandardsandGuidelines................323.3 TransportLayerCyberSecurityStandards......................................................................323.4 WirelessCryptography.....................................................................................................333.5 SomeAdditionalCyberSecurityTechniques...................................................................34

4 THREATS,VULNERABILITIES,ANDIMPACTSONPOWERSYSTEMRESILIENCEWITHDERSYSTEMS...........................................................................................................................41

4.1 ResilienceandCyberSecurity..........................................................................................414.2 ThreatsEngineeringandCyber.....................................................................................42

PhysicalandElectricalThreatsMostlybutNotEntirelyInadvertent...............42 CyberThreatsInadvertentandDeliberate.......................................................43

4.3 VulnerabilitiesEngineeringandCyberVulnerabilities..................................................46 PowerSystemVulnerabilitiesandAttacks..........................................................47 CyberSecurityVulnerabilitiesandAttacks..........................................................49

4.4 RiskManagementandMitigationTechniques..............................................................411 RiskHandling......................................................................................................411 RiskMitigationCategories.................................................................................412

5 CYBERSECURITYRECOMMENDATIONSMETHODOLOGY.......................................................51

5.1 MethodologyOverview...................................................................................................515.2 InverterFunctions............................................................................................................525.3 SecurityAssessment........................................................................................................565.4 InclusionofThreat...........................................................................................................585.5 Analysis............................................................................................................................58

6 CYBERSECURITYRECOMMENDATIONSFORCSIRD&DSOLICITATION#4DERCOMMUNICATIONMODULES..................................................................................................61

6.1 CyberSecurityRecommendationCategories..................................................................616.2 InterfaceA:CSIRD&DSolicitation#4DERCyberSecurityRecommendations...............616.3 InterfaceB:CSIRD&DSolicitation#4DERCyberSecurityRecommendations...............64

CSIRD&DSOLICITATION#4CyberSecurityRecommendations vi

6.4 CyberSecurityforCommunicationProtocols..................................................................66 IEEE2030.5(SEP2)CyberSecurity.......................................................................66 IEEE1815(DNP3)CyberSecurity.........................................................................68

7 SUMMARY................................................................................................................................71APPENDIXACYBERSECURITYSCORINGOFDERFUNCTIONSFORRESIDENTIALDER

SYSTEM....................................................................................................................................A1

CSIRD&DSOLICITATION#4CyberSecurityRecommendations vii

List of Figures Figure1:CSIRD&DSolicitation#4DERCyberSecurityScope...................................................21Figure2:CommunicationsbetweenUtilitiesandindividualDERsystems,FDEMS,andREPS...22Figure3:ScopeofEPRICSIRD&DSolicitation#4InteractionswithDERSystemswithinResidentialSites...........................................................................................................................23Figure4:FiveLevelHierarchicalDERSystemArchitecture.........................................................24Figure5:SecurityRequirements,Threats,andPossibleAttacks..............................................411

CSIRD&DSOLICITATION#4CyberSecurityRecommendations ix

List of Tables Table1:MitigationCategoriesforCyberPhysicalSystems......................................................414Table2:DERInverterFunctionList..............................................................................................52Table3:CyberSecurityRecommendationsforCSIRD&DSolicitation#4DERCommunication:InterfaceA....................................................................................................................................62Table4:CyberSecurityRecommendationsforCSIRD&DSolicitation#4DERCommunication:InterfaceB....................................................................................................................................64Table5:IEEE2030.5SecurityMeasures......................................................................................67TableA1:CyberSecurityScoringofDERFunctions:CommunicationModuletoUtility............A1TableA2:CyberSecurityScoringofDERFunctions:CommunicationModuletoAggregator/Vendor......................................................................................................................A9TableA3:CyberSecurityScoringofDERFunctions:CommunicationModuletoDER..............A17

CSIRD&DSOLICITATION#4CyberSecurityRecommendations xi

Nomenclature

ACL:AccessControlList.AES:AdvancedEncryptionStandard.BITW:BumpInTheWire.CA:CertificateAuthority.CIM:CommonInformationModel.CRL:CertificateRevocationList.CSI4:CaliforniaSolarInitiative4.DER:DistributedEnergyResource.DERMS:DERDatabaseandManagementSystems.DMS:DistributionManagementSystems.DNP3:DistributedNetworkProtocol3.0.DR:DemandResponse.DSO:DistributionSystemOperators.EAP:ExtensibleAuthenticationProtocol.ECP:ElectricalConnectionPoints.FDEMS:FacilityDEREnergyManagementSystem.FIPS:FederalInformationProcessingStandards.GIS:GeographicalInformationSystem.HEMS:HomeEnergyManagementSystem.HTTPS:HyperTextTransferProtocol.ICCP:InterControlCenterProtocol.ICS:IndustrialControlSystem.IDS:IntrusionDetectionSystem.IEC:InternationalElectromechanicalCommission.IED:IntelligentElectronicDevice.IEEE:InstituteofElectricalandElectronicsEngineers.IP:InternetProtocol.IPS:IntrusionPreventionSystem.IPsec:InternetProtocolSecurity.ISO:IndependentSystemOperators.MMS:ManufacturingMessageSpecification.NAT:NetworkAddressTranslation.NERC:NorthAmericanElectricReliabilityCouncil.NIST:NationalInstituteofStandardsandTechnology.OCSP:OnlineCertificateStatusProtocol.OMS:OutageManagementSystem.PCC:PointofCommonCoupling.PKI:PublicKeyInfrastructure.REP:RetailEnergyProvider.RFC:RequestForComment.RTO:RegionalTransmissionOperators.

CSIRD&DSOLICITATION#4CyberSecurityRecommendations xii

SCADA:SupervisoryControlandDataAcquisition.SEP2:SmartEnergyProfile2.0.SGIP:SmartGridInteroperabilityPanel.SIWG:SmartInverterWorkingGroup.TBLM:TransmissionBusLoadModel.TCP:TransmissionControlProtocol.TLS:TransportLayerSecurity.TSO:TransmissionSystemOperators.VPN:VirtualPrivateNetwork.WAN:WideAreaNetwork.XML:ExtensibleMarkupLanguage.

CSIRD&DSolicitation#4CyberSecurityRecommendations 11

1 EXECUTIVE SUMMARY

ThisCSIRD&DSolicitation#4DistributedEnergyResource(DER)cybersecuritydocumentprovidescyber security recommendations for smart residential inverterbasedDER assets that use theSunSpec Modbus protocol and CEA2045 communications module as well as for wideareacommunicationsystemsthatuseprotocolssuchasOpenADR2.0bandIEEE2030.5.TheConsumerElectronics Association CEA2045 communicationsmodule is a plugin device, responsible fortranslatingwideareanetwork(WAN)communicationsintoSunSpecModbusmessageswhicharesupportedbymost residentialDER systems. Specific communications addressed in the scopeincludecommunicationsbetween:

Autilityandthecommunicationmodule

Anaggregator/vendorandthecommunicationmodule

ThecommunicationmoduleandtheDERsystemitself

The cyber security recommendations in this document are based on impact levels of low,moderate,andhighassignedtothesecurityrequirements.Threatanalysis,functionalscoring,bestpractices,andpracticalconsiderationswereallconsideredduringthedevelopmentoftherecommendations.

Thisprojectformedacybersecurityworkinggroupthatdevelopedthisreport.ThecybersecurityworkinggroupscoringresultsforallthreeresidentialDERcommunicationinterfacescanbefoundinAppendixA.Thescoresgenerallyindicatethat:

Authenticationandintegrityofdataarethemostimportantcybersecurityrequirements,andwereassessed tobecritical forall typesof interactions, includingmonitoringandcontrolcommands,toensurethatthedataexchangedcomesfromknownsourcesandhasnotbeenmodifiedintransit.

Authorization and nonrepudiation are important to ensure that commands areauthorized,executedasspecified,andreportedbackaccurately.

Availability is lesscriticalsinceDERsystemsusuallyoperateautonomouslyandcanbepresettoperformtheDERfunctions.

ConfidentialityisonlyimportantforselectDERfunctionswhereeitherprivacyorsensitivedatais being exchanged, such as personal information or contractual data. For residential DERsystems,itisnotexpectedthatmuchconfidentialdatawillbeexchanged.

Cyber security recommendations are then enumerated in Sections 6.2 and 6.3. Therecommendationsaremeanttoworkintandemwithapplicableindustrystandardbestpractices(Section3),notreplacethem.


2 BACKGROUND

2.1 Scope

ThescopeofthisCaliforniaSolarInitiative4(CSIRD&DSolicitation#4)DistributedEnergyResource(DER) cyber security document covers cyber security for the communications of residentialinverterbasedDERassetsusingtheCEA2045formatcommunicationsmodule.

Thecommunicationsmodule isaplugindevice in theConsumerElectronicsAssociationsCEA2045format,responsiblefortranslatingwideareanetwork(WAN)communications,suchasIEEE2030.5 (SEP2), into SunSpecModbusmessageswhich are supported bymost residentialDERsystems.Specificcommunicationsaddressedinthescopeincludecommunicationsbetween:

Autilityandthecommunicationmodule

Anaggregator/vendorandthecommunicationmodule

ThecommunicationmoduleandtheDERsystem

Outsidethescopeofthisdocumentareinterfacesthatdonotusethecommunicationsmodule.Forinstance,thefollowingareexcluded:communicationinterfacesforcommercial,industrial,andutility owned DERs, communication interfaces for noninverterbased DERs, and utilitytoaggregator communication interfaces. Additionally, this document does not addresscommunication interfaces from utilities or aggregators to home energymanagement systems(HEMS),tofacilityDERenergymanagementsystems(FDEMS),ortootherDERproxiessuchasdataconcentrators/gateways.

ThescopeisillustratedmostsuccinctlyinFigure1.Asdepictedinthefigure,thescopeincludesDERcommunication interfacesAandB,where interfaceArepresentsthefirsttwoscopebulletsaboveandinterfaceBrepresentsthethirdscopebulletabove.CommunicationinterfaceA is the network interface that connects from the utility or aggregator/vendor to thecommunicationsmodule,whilecommunicationinterfaceBislocalbetweenthecommunicationsmoduleandtheDERsystem.

Figure1:CSIRD&DSolicitation#4DERCyberSecurityScope


Oneof themotivatorsof theCSIRD&D Solicitation#4projectwasCalifornias Smart InverterWorking Group (SIWG) effort to define the functional and communications requirements forinverterbased DER systems within California. The SIWG Phase 2 communications scope isillustratedinFigure2andcomprisesthecommunicationsrequirementsbetween(seeredlightningboltsindicatingWideAreaNetworks):

1. UtilitiesandindividualDERSystems

2. Utilities and Facility DER EnergyManagement Systems (FDEMS) whichmanage DERsystemswithinafacility,plant,and/ormicrogrid

3. UtilitiesandRetailEnergyProviders(REP)/Aggregators/FleetOperatorswhichmanageandoperateDERsystemsatvariousfacilities

Figure2:CommunicationsbetweenUtilitiesandindividualDERsystems,FDEMS,andREPS

Thecirclednumbers#2,#5,and#12withintheresidentialboxatthelowerrightsideofthefigureillustratetheprojectsscopeasitrelatestotheSmartInverterWorkingGroup(SIWG),assumingthattheinterfaces#2and#5arewiththeDERsystemandnotahomeenergymanagementsystem.Noticethattheprojecteffortsscope issignificantlynarrowerandfundamentallydifferentfromthatoftheSIWG.TheSIWGPhase2recommendationsforupdatestoRule21onlyfocusonthe


communications interfaces at the utilities and leave the broader scope of exactly what isrecommendedattheDERfacilitiestootherefforts,suchastheCSIRD&DSolicitation#4project.

AnotherdiagramFigure3canbeusedtoillustratethescopeoftheCSIRD&DSolicitation#4project,whichaddressesthecybersecurityrequirementsatthecommunicationmodule.

Figure3:ScopeofEPRICSIRD&DSolicitation#4InteractionswithDERSystemswithinResidentialSites

2.2 Objectives

Theobjectivesofthisdocumentarefirst,toprovidegeneralinformationoncybersecurityconcernsrelated to residential inverterbased DER communications, covering cyber security policies,procedures,and technologies that canbeused tomitigate these cyber security concerns,andsecondly,torecommendspecificcybersecuritysolutionsforthecommunicationsinterfaceswithCSIRD&DSolicitation#4DERcommunicationsmodules.

Inparticular,thisdocumentwillpresentgeneralrecommendationsusingalogicaltaxonomythatmimicstheNationalInstituteofStandardsandTechnologyInteragencyReport(NISTIR)7628andNISTSpecialPublication(SP)80053,rev4controlclassesthataddresscybersecurityforanysizeresidentialinverterbasedDERcommunicationsinterfacesinaholisticfashion.Thisdocumentalso


providescybersecurity implementationguidanceforIEEE2030.5(SEP2),IEEE1815(DNP3),andModbus.

2.3 Utility DER Communication Architecture

IntheSIWG,intheSmartGridInteroperabilityPanel(SGIP),andinotherforums,thehierarchicalarchitectureofDERsystemshasbeendevelopedandillustratedasinFigure4.

Figure4:FiveLevelHierarchicalDERSystemArchitecture

Thefivedifferentlevelsaredescribedas:

1. Level1DERSystems(greenintheFigure)isthelowestlevelandincludesthecyberphysicalDERsystems.TheseDERsystemsareinterconnectedtolocalgridsatElectricalConnectionPoints(ECPs)andtotheutilitygridthroughthePointofCommonCoupling(PCC)(theECPandthePCCmaybethesameiftheDERisdirectlygridconnected).TheseDERsystemswillusuallybeoperatedautonomously.Inotherwords,theseDERsystemswillberunningbasedonlocalconditions,suchasphotovoltaicsystemsoperatingwhenthesunisshining,windturbinesoperatingwhenthewindisblowing,electricvehicleschargingwhenpluggedinbytheowner,anddieselgenerators


operatingwhenstartedupbythecustomer.ThisautonomousoperationcanbemodifiedbyDERownerpreferences,presetparameter,andcommandsissuedbyutilitiesandaggregators.

2. Level2FacilityDERManagement(blueintheFigure)isthenexthigherlevelinwhichafacilityDERmanagementsystem(FDEMS)managestheoperationoftheLevel1DERsystems.ThisFDEMSmaybemanagingoneortwoDERsystemsinaresidentialhome,butmorelikelywillbemanagingmultipleDERsystemsincommercialandindustrialsites,suchasuniversitycampusesandshoppingmalls.UtilitiesmayalsouseaFDEMStohandleDERsystemslocatedatutilitysitessuchassubstationsorpowerplantsites.

3. Level3ThirdParties:RetailEnergyProviderorAggregators(redintheFigure)showsmarketbasedaggregatorsandretailenergyproviders(REP)whorequestorevencommandDERsystems(eitherthroughthefacilitysFDEMSorviaaggregatorprovideddirectcommunicationlinks)totakespecificactions,suchasturningonoroff,settingorlimitingoutput,providingancillaryservices(e.g.voltvarcontrol),andothergridmanagementfunctions.AggregatorDERcommandswouldlikelybepricebasedeithertominimizecustomercostsorinresponsetoutilityrequirementsforsafetyandreliabilitypurposes.Thecombinationofthislevelandlevel2mayhavevaryingscenarios,whilestillfundamentallyprovidingthesameservices.

4. Level4DistributionUtilityOperationalGridManagement(yellowintheFigure)appliestoutilityapplicationsthatareneededtodeterminewhatrequestsorcommandsshouldbeissuedtowhichDERsystems.DistributionSystemOperators(DSOs)willmonitorthepowersystemandassessifefficiencyorreliabilityofthepowersystemcanbeimprovedbyhavingDERsystemsmodifytheiroperation.Thisutilityassessmentinvolvesmanyutilitycontrolcentersystems,orchestratedbytheDistributionManagementSystem(DMS)andincludingtheDERdatabaseandmanagementsystems(DERMS),GeographicalInformationSystems(GIS),TransmissionBusLoadModel(TBLM),OutageManagementSystems(OMS),andDemandResponse(DR)systems.Oncetheutilityhasdeterminedthatmodifiedrequestsorcommandsshouldbeissued,itwillsendtheseeitherdirectlytoaDERsystem,indirectlythroughtheFDEMS,orindirectlythroughtheREP/Aggregator.

5. Level5TransmissionandMarketOperations(purpleintheFigure)isthehighestlevel,andinvolvesthelargerutilityenvironmentwhereTransmissionSystemOperators(TSOs),regionaltransmissionoperators(RTOs),orindependentsystemoperators(ISOs)mayneedinformationaboutDERcapabilitiesoroperationsand/ormayrequestaggregatedservicesforthebulkpowersystemfromDERsystemsthroughthedistributionutilityorthroughtheREP/Aggregators.Theseaggregatedservicesmaybeestablishedthroughcontracts,tariffs,ormarketoperations.

Although ingeneralDER systemswillbepartofahierarchy,different scenarioswill consistofdifferenthierarchicallevelsandvariationsevenwithinthesamehierarchicallevel.Forinstance,small residentialPV systemsmaynot include sophisticated FacilitiesDEREnergyManagementSystems(FDEMS),while largeindustrialandcommercialsitescouldincludemultipleFDEMSandevenmultiple levels of FDEMS. SomeDER systemswill bemanaged by aggregators through


demandresponseprograms,whileothersmaybemanaged(notnecessarilydirectlycontrolled)byutilitiesthroughfinancialandoperationalcontractsortariffswithDERowners.


3 INCORPORATION OF INDUSTRY STANDARDS

SmartGridcybersecurityindustrystandardsareproceduralandtechnicalrulesgenerallyaccepted(ifnotwidelyimplemented)bytheindustryascriticaltoimprovethesafety,reliability,security,sustainability,andcosteffectivenessofgridoperations. Followingthese industrystandardscansavetimeandmoney,andofferbenefitsofincreasedsecuritytobothutilitiesandconsumersalike.SomeSmartGridcybersecurityindustrystandardsevenofferguidelinesthathavebeentestedandproventoenablehigherlevelsofreliabilityandsecurityforDERcommunications.Applicabilityofrelevantstandards fromdifferent industriesshouldalsonevergooverlookedand incorporatedwherepossible.

3.1 Cyber Security High Level Guidance

Some applicable Smart Grid cyber security guidelines, industrial standards, and technicalspecificationsare:

NISTIR 7628 Guidelines for Smart Grid Cybersecurity, rev 1; the Smart GridInteroperabilityPanelCyberSecurityWorkingGroup,September2014.Thisisa3volumereport including Smart Grid Cybersecurity Strategy, Architecture, and High LevelRequirements,PrivacyandtheSmartGrid,andSupportiveAnalysesandReferences.

NorthAmericanElectricReliabilityCorporation(NERC)CriticalInfrastructureProtection(CIP)CyberSecurityStandards002009; this isa seriesof standards includingCriticalCyber Asset Identifications, Security Management Controls, Personnel and Training,ElectronicSecurityParameters,PhysicalSecurityofCriticalCyberassets,SystemsSecurityManagement, IncidentReportingandResponseaPlanning,RecoveryPlans forCriticalCyberAssets.

IEC/ISO27001,27002,and27019:InformationSecurityStandards,with27019focusedonelectricpowerindustry.

NIST SP 80053 Security and Privacy Controls for Federal Information Systems andOrganizations, Rev 4; This publication covers the steps in the Risk ManagementFramework that address security control selection for federal information systems inaccordancewiththesecurityrequirements inFederal InformationProcessingStandard(FIPS)200.

NISTSP80082GuidetoIndustrialControlSystems(ICS)Security,rev2:thisisaguidefor securing ICS including supervisory control and data acquisition (SCADA) systems,distributedcontrolsystems(DCS),andothercontrolsystemsusedinelectric,waterandwastewater,oil andnatural gas, chemical,pharmaceutical,pulp andpaper, food andbeverage,anddiscretemanufacturingindustries.

IEC 62351 Parts 813, Information Security for Power System Control Operations:defineshighlevelsecurityrequirementsforpowersystemmanagementandinformationexchange, includingrolebasedaccesscontrol,keymanagement,securityarchitecture,XMLsecurity,DERresilience,andcybersecurityrequirementsinstandards.


IEC62443SeriesonSecurityforIndustrialProcesses:measurementandcontrol(workinprocess)

IEEE1686Substation IntelligentElectronicDevices (IEDs)CyberSecurityCapabilities(beingupdated)

CIGREB5/D2.46:ApplicationandmanagementofcybersecuritymeasuresforProtection&Controlsystems

CIGRED2.31SecurityarchitectureprinciplesfordigitalsystemsinElectricPowerUtilitiesEPUs

DOE/DHSElectricitySubsectorCybersecurityCapabilityMaturityModel(ESC2M2)

DOE/NIST/NERC Electricity Subsector Cybersecurity Risk Management ProcessGuideline

3.2 Communication Application Layer Cyber Security Standards and Guidelines

Communicationshaveveryspecificcybersecurityrequirements

IEC62351Parts17,InformationSecurityforPowerSystemControlOperations:definessecurity requirements for power system management and information exchange,includingsecurityforTCP/IPandMMSprofiles,securityforIEC61850,DNP3,ICCP,andcommunicationsnetworkmanagement.

IEEE2030.5(SEP2):definescybersecurityrequirementsfortheSEP2protocol.

IEEE1815(DNP3):definescybersecurityrequirementsforDNP3.

3.3 Transport Layer Cyber Security Standards

SomeapplicableTransportLayersecurityrequirementsinclude:

IETFRFC6272InternetProtocolsfortheSmartGrid(identifiesRFCsusedintheSmartGrid)

TransportLayerSecurity(TLS)wasderivedfromSecureSocketsLayer(SSL)andspecifiesasymmetric cryptography for authentication of key exchanges via a Public KeyInfrastructure (PKI), symmetric encryption for confidentiality, and messageauthentication codes formessage integrity. As indicated by the name, TLS providessecurityforthetransportlayer.AlthoughthemostcommonlyimplementedversionisstillTLS1.0,thenewestversionTLSv1.2,definedinRFC5246,shouldbespecifiedfornewimplementations.TLSincludesmanyalternativeciphersuitesthesecouldorshouldbepareddowntoafewinspecificationstoensurethatimplementationsprovideadequatesecurityandinteroperability.IEC623513Ed2providessuchaspecification.


HypertextTransferProtocolSecurity (HTTPS) isacombiningofHTTPoverTLS,and isformalizedinRFC2818.

InternetProtocolSecurity(IPsec)authenticatesandencryptseachIPpacketaswellasprovidingmutualauthenticationatthestartofasession,thusprovidingsecurityattheNetworkLayerratherthanattheTransportLayer.IPseciscoveredinRFCs4101,RFC4102,RFC4103BasestandardsforIPSecurity.

VirtualPrivateNetwork(VPN)createsatunnelthroughtheInternet(orothernetwork)inwhichtheentireIPpacketisencryptedandthenencapsulatedintoanotherIPpacket.IPsecisoftenusedtocreatethesecuretunnel,althoughTLSandothersecurityprotocolscanalsobeused.

TheGroupDomainOfInterpretation(GDOI)methoddefinedinRFC6407supportsthedistributionofasymmetricgroupkeytoallpreconfiguredorotherwiseenrolledentities,typicallydevices.

RFC6347DatagramTransportLayerSecurity(DTLS)

RFC3711SecureRealtimeTransportProtocol(SRTP)

RFC4962Authentication,Authorization,andAccounting

RFC5247ExtensibleAuthenticationProtocol(EAP)KeyManagementFramework

RFC5746TransportLayerSecurity(TLS)RenegotiationIndicationExtension

RFC2712:1999,AdditionofKerberosCipherSuitestoTransportLaterSecurity(TLS)

RFC3268,2002,AdvancedEncryptionStandard(AES)CiphersuitesforTransportLayerSecurity(TLS)

FIPS1862,DigitalSignatureStandard(DSS)

RFC 3447, PublicKey Cryptography Standards (PKCS) #1; RSA CryptographySpecifications,Version2.1

3.4 Wireless Cryptography WirelesscryptographysystemsusethesecurityprovidedbyIEEE802.11iWPA2,whichestablishesaRobustSecurityNetwork(RSN)thatusestheAdvancedEncryptionStandard(AES)blockcipher(asdomostciphersuitesatthistime),requirestheCounterwithCipherBlockChainingMessageAuthenticationCode(CCM)Protocol(CCMP)fora4wayhandshakebetweentwostations,andtheincludesaGroupKeyHandshake.SomesuggestionsformanagingWiFicouldinclude:

UsingcentrallymanagedWiFiinfrastructuresandtheauthentication

AdoptingtheIEEE801.1xauthenticationinfrastructure

AdoptingarogueAPdetectionmechanism

TheExtensibleAuthenticationProtocol(EAP)isanauthenticationframeworkfrequentlyusedinwirelessnetworksandpointtopointconnections.ItisdefinedinRFC3748andwasupdatedby


RFC5247.EAP isoneof thepossible authentication schemaof themore general IEEE801.1xstandardthat isthedefactomandatorystandardforWiFienterprisedeployment,and it isalsoapplicabletowiredLANs.WhenappliedtowiredLANs,802.1xcanallowalogicalsegregationofVLAN inside the same physical infrastructure. 802.1x is a role basedNetwork Access ControlmechanismandbringstheRBACmodeltoLANaccesscontrol.

3.5 Some Additional Cyber Security Techniques

Someadditionalcybersecuritytechniquesincludethefollowing:

Network Address Translation (NAT) functions isolate systems from direct access byexternalsystems.TheyareoftenincludedinWiFinetworkrouters,inwhichasingleInternetIPisprovidedtoasite,andissharedbyallnetworkeddevicesatthatsite.TheNAThandlesall interactionswith the Internet and passes only authorizedmessages to the systemsbehindtheNATrouter,thusprovidingsecurityagainstunauthorizedtraffic.

AccessControlLists(ACL)areusedinrouterstolimitwhichportsand/orIPaddressesarepermittedtobeaccessedbywhichentities.

IntrusionDetectionandPreventionsystems(IDSandIPS)monitornetworksformaliciousorimpermissibletraffic.TheIDScandetectsuchmalicioustrafficandnotifyusers,whileanIPScanactuallyblockmalicioustrafficandsupportpreventionofadditiontraffic fromasuspectIPaddress.


4 THREATS, VULNERABILITIES, AND IMPACTS ON POWER SYSTEM RESILIENCE WITH DER SYSTEMS

4.1 Resilience and Cyber Security

Intheenergysector,twokeyphrasesarebecomingthefocusofinternationalandnationalpolicies:gridresilienceandcybersecurityof thecyberphysicalgrid.Gridresilienceresponds to theoverarchingconcern:"Thecriticalinfrastructure,theSmartElectricGrid,mustberesilienttobeprotectedagainstbothphysicaland cyberproblemswhenpossible,butalso to copewithandrecoverfromtheinevitabledisruptiveevent,nomatterwhatthecauseofthatproblemiscyber,physical,malicious,orinadvertent."

Grid resilience includes hardening, advanced capabilities, and recovery/reconstitution.Althoughmostattentionisplacedonbestpracticesforhardening,resiliencestrategiesmustalsoconsideroptionstoimprovegridflexibilityandcontrol.1Resilienceofthegridisoftenassociatedwithmakingthegridabletowithstandandrecoverfromsevereweatherandotherphysicalevents,butresilienceshouldalso includetheabilityofthecyberphysicalgridtowithstandandrecoverfrommaliciousandinadvertentcyberevents.

Resilience,sometimesdefinedasthefastrecoverywithcontinuedoperationsfromanytypeofdisruptioncanbeappliedtothepowersystemcriticalinfrastructure.Aresilientpowersystemisdesigned and operated not only to prevent andwithstandmalicious attacks and inadvertentfailures,butalsotodetect,assess,copewith,recoverfrom,andeventuallyanalyzesuchattacksandfailuresinatimelymannerwhilecontinuingtorespondtoanyadditionalthreats.

Thecyberphysicalgridimpliesthatthepowersystemconsistsofbothcyberandphysicalassetsthataretightly intertwined.Boththecyberassetsandthephysicalassetsmustbeprotected inorderforthegridtoberesilient.Butprotectionoftheseassets isnotenough:thesecyberandphysicalassetsmustalsobeusedincombinationtocopewithandrecoverfrombothcyberandphysicalattacksintoordertotrulyimprovetheResilienceofthepowersysteminfrastructure.

All too often, cyber security experts concentrate only on traditional IT cyber security forprotectingthecyberassets,withoutfocusingontheoverallresilienceofthephysicalsystems.Atthesame time,powersystemexpertsconcentrateonlyon traditionalpowersystemsecuritybasedontheengineeringdesignandoperationalstrategiesthatkeepthephysicalandelectricalassetssafeandfunctioningcorrectly,withoutfocusingonthesecurityofthecyberassets.However,the twomustbecombined:resilienceoftheoverallcyberphysicalsystemmust include tightlyentwinedcybersecuritytechnologiesandphysicalassetengineeringandoperations,combinedwithriskmanagementtoensureappropriatelevelsofmitigationstrategies.

1EconomicBenefitsofIncreasingElectricGridResiliencetoWeatherOutages,ExecutiveOfficeofthePresident,August2013.Seehttp://www.smartgrid.gov/sites/default/files/doc/files/Grid%20Resilience%20Report_FINAL.pdf


Asanexample,distributedenergyresources (DER)systemsarecyberphysicalsystemsthatareincreasinglybeinginterconnectedtothedistributionpowersystemtoprovideenergyandancillaryservices. However, distribution power systems were not originally designed to handle thesedispersed sources of generation, while DER systems are generally not under direct utilitymanagementorunder the securitypoliciesandproceduresof theutilities.ManyDER systemsprovideenergyfromrenewablesources,whicharenotreliablyavailableatalltimes.Therefore,theResilienceofpowersystemstoeventypicaldisruptionsisincreasinglyatriskasmoreoftheseDERsystemsareinterconnected.

4.2 Threats Engineering and Cyber

Physical and Electrical Threats Mostly but Not Entirely Inadvertent

Utilitiesareaccustomedtoworryingaboutphysicalthreats,suchasequipmentfailuresandsafetyimpactingcarelessness.Transformerscanoverheatandexplode.Power linescansag intotrees,tripcircuitbreakers,andcausecascadingpowerfailures.Squirrelscanchewthroughcablesandcauselocaloutages.Naturaldisastersaregettingincreasedattention,particularlyforutilitiesthatcommonlyexperiencehurricanes,earthquakes,cyclones,icestorms,etc.,eventhoughthesearelookeduponasbeyondthecontroloftheutility.Infact,severeweathereventsseemtobecomingmore common, so thatutilities are trying to increase the resilienceof theirpower systems ingeneralthroughdisasterplanninganddisasterrecoverystrategies.

Electricalthreats include inadequategenerationtomeetthe loadcausingbrownoutoroutages,overgeneration,andfrequencyfluctuationsthatcancausecascadingpowerfailures.Utilitiesarecontinuallytryingtoimprovetheirmanagementofthesefactorsthroughforecastinggenerationand load,monitoringcurrentpower system status,andanalyzingpower systemconditions forpossiblecontingencies.

Somethreatscanbedeliberate,suchasapersonshootingatransformersothattheoildrainsoutorstealingcoppergroundingwiresoutofsubstations.

Anewtypeofelectricalthreatisbeginningtoberealized,namelytheimpactofDERsystemsthatarenotunderthedirectcontrolofutilities.DERsystemscannow impactnormalpowersystemoperations if theyare largeenoughor if they consistofa largeenoughgroupof smallerDERsystems.Suchelectricalthreatscouldincludedeliberaterapidfluctuationsofrealpowerbylarge(orlargegroupsof)DERsystemstocausepowersysteminstability,ortheunauthorizedexportofexcessgenerationtooverloadacircuit.Theseimpactsincludethefollowing:

Antiislanding failures. Under certain circumstances DER systems may not properlydisconnectwhenthegriddoesexperienceanoutage,thusfailingtodetectanelectricalisland.Thissituationcanbeaserioussafetyhazard.

Power system instability. Variations in DER generation due to unmanaged andunmonitoredDERsystemscancausepowersystem instabilityandpossiblywidespreadpoweroutages.


Fluctuatingenergyoutput.FluctuationsinDERenergyoutputduetovariablerenewableenergysourcesorresponsestolocalloadscancausechangesinvoltageandfrequencywhichmaycausethemtoexceedtheirnormalranges.

Unnecessary DER disconnections. If voltage and/or frequency exceed their normalranges,DER systemswill cease energizing the grid and disconnect, thusworsening asituationthatmightotherwisehavebeenrecoveredfrom.

Reversepowerflows.UnmonitoredDERoutputcancausebackfeeding insubstationsthatarenotdesignedforreversepowerflows.

Cyber Threats Inadvertent and Deliberate Utilities are increasingly recognizing the importance of protecting cyber assets and cyberinformation,which are becoming critical aspects of safe, reliable, and efficient power systemoperations. Cyber assets now are used to operate circuit breakers, monitor power systemequipment,andmanageenergymarkets.Cyber informationthat isinadvertentlyordeliberatelycompromisedcouldcausemajoroutages,destroyequipment,andtriggerfinancialdisruptions.

Threatsaregenerallyviewedasthepotentialforattacksagainstassets.Theseassetscanbephysicalequipment,computerhardware,buildings,andevenpeople.Inthecyberworld,however,assetsalsoincludeinformation,databases,firmware,andsoftware.Countermeasurestothesesecuritythreatsmustincludeprotectionagainstbothphysicalattacksaswellascyberattacks.

Threatstoassetscanresultfrom inadvertenteventsaswellasdeliberateattacks. Infact,oftendamagecanresultfromsafetybreakdowns,equipmentfailures,carelessness,andnaturaldisastersthan fromdeliberateattacks.However, the reactions tosuccessfuldeliberateattackscanhavetremendouslegal,social,andfinancialconsequencesthatcouldfarexceedthephysicaldamage.

Securityriskassessmentandmanagementisvitalindeterminingexactlywhatneedstobesecuredagainstwhatthreatsandtowhatdegreeofsecurity.Thekeyisdeterminingthecostbenefitratio,wherethelikelihoodandmagnitudeofanimpactaregreaterthanthecosttomitigatethatimpact.Thereisnosilverbullet:justencryptingdataorjustrequiringusernamesandpasswordsdonotbythemselvesprovideadequatesecurity.Forbothpowersystemengineeringandforcybersecurity,layersofdefensivemechanismsarebetterthanasinglesolution.Thatiswhyredundantprotectiverelaysareusedinasubstation,andwhyevenauthorizedinputdatashouldbecheckedforvalidityandreasonability.Ultimatelynoprotectionagainstattacks,failures,mistakes,ornaturaldisasterscaneverbecompletelyabsolute.Thereforetheplanningofcopingmechanismsduringemergencysituations and recovery procedures from those emergency situationsmust also be part of acompleteResiliencestrategy.

Threatagentscanbedefinedasoneofthefollowing:

Maliciousperson[malicious]whoisdeliberatelyattackingsystemsforfinancial,power,revenge,orothergain

Inadvertentmistake[error]causedbyapersonwhoeitherfailedtopayattentionordidnot recognize the consequencesof theiraction.Computerapplications canalsohave


bugs or other flaws that cause them tomisoperate. Poorly designed systems andinadequateoperatingproceduresalsofallinthiscategory.

Equipment failure [failure] thatwasnotanypersons fault,but reflects the fact thatelectronicandmechanicaldevicescanfail.Equipmentthatrespondsinunexpectedwaystonormalconditionscanalsobeplacedinthiscategory.

Naturaldisasters[disaster]causedbyeventscompletelyoutsidethecontrolofhumans.

The following sections discuss some of themost common threatswhich can have significantimpacts. Understanding these threats can help in the development of the best mitigationstrategies.

4.2.2.1 Inadvertent Threats Inadvertent threats are more common that deliberate attacks, while the impacts of theseinadvertentactionsarenotfocusedonanyspecificpurpose.Thismakesthesethreatsboth lesseasytopreventbutmoreamenabletolayersofsecurityandtoresiliencedesignsandoperations.Utilitieshavealotofexperienceindesigningsystemstoresistandcopewiththesetypesofthreats.However,oftenotherDERstakeholdersdonothavethisextensiveexperience,sinceintegrationofDERsystemsisstillanewandevolvingarea.

SafetyFailures:Safetyhasalwaysbeenaprimaryconcernforanypowersystemfacilities,and must be part of DER implementation and operation. In the power industry,meticulousprocedureshavebeendevelopedandrefinedtoimprovesafety,butnotallofthesehaveyetbeenfullydevelopedforDERsystems.Autonomoussafetymeasuressuchas protective relaying, are a primary defense, but monitoring of the status of keyequipmentand the logging/alarmingofcompliance to safetyprocedurescanenhancesafetytoasignificantdegree.

EquipmentFailures:Equipmentfailuresarethemostcommonandexpectedthreatstothereliableoperationofthepowersystem.OftenthemonitoringofthephysicalstatusofDERequipmentcanalsobenefitmaintenanceefficiency,possiblepreventionofcertaintypesofequipmentfailures,realtimedetectionoffailuresnotpreviouslymonitored,andforensicanalysisofequipmentfailureprocessesandimpacts.

Software/Firmware Malfunctions: Software and firmware malfunctions (e.g. bugs,crashes,andincorrectresults)canstilloccurevenifsystemsarethoroughlytested,oftenduetothecomplexityofthesoftwareandhowitinteractswiththeoperatingsystemorothersoftwareapplications.Newlyimplementedorupgradedsoftwareapplicationsareparticularlyvulnerabletomalfunctions,whilepatchesandupgradestoreliablesoftwarecansometimescausemalfunctions.

Mistakes,Carelessness,orLackofKnowledge:Mistakescausedbycarelessnessorjustalackofknowledge isoneofthethreatstoprotectingDERsystems,whether it isnotlocking doors or inadvertently allowing unauthorized personnel to access passwords,keys,andothersecuritysafeguards.Oftenthiscarelessnessisduetocomplacency(noonehaseverharmedthisDERsystemyet)orinexperience(Ididntrealizethattheemail


did not come from the DERmanufacturer, and so I provided the attackerwithmypasswordintotheDERsystem).

NaturalDisasters:Naturaldisasters,suchasstorms,hurricanes,andearthquakes,canleadtowidespreadpowersystemfailures,safetybreaches,andopportunitiesfortheft,vandalism,andterrorism.MonitoringofthephysicalandcyberstatusofDERsystemsinrealtimecanprovidetheeyesandearstounderstandwhatistakingplaceandtotakeamelioratingactionswithrespecttotheutilizationofDERtominimizetheimpactofthesenaturaldisastersonpowersystemoperations.

4.2.2.2 Deliberate Threats Deliberatethreatscancausemorefocuseddamagetofacilitiesandequipmentinsubstationsthanthe inadvertentthreats.The incentivesforthesedeliberatethreatsare increasingastheresultsfromsuccessfulattackscanhave increasinglyeconomicand/orsocio/politicalbenefits to theattackers.Sophisticatedmonitoringoffacilitiesandequipmentcanhelpdetectandpreventsomeofthesethreats,whileamelioratingtheimpactofsuccessfulattacksthroughrealtimenotificationsand forensic trails.This isanewarea formostDER stakeholders, includingutilities,where thethreats are less well understood. Engineers understand Resilience requirements againstinadvertent threats to theirpowersystemsbutarestilldeveloping theirunderstandingofhowdeliberatecyberthreatscanimpactthisResilience.

DisgruntledEmployee:Disgruntledemployeesarean important threat forattacksonpowersystemassets,includingDERsystems.Unhappyemployeeswhohavethedetailedknowledge to do harm can cause significantlymore damage than a nonemployee,particularly in the power system industrywhere theDER equipment and supportingsystemsareuniquetotheindustry.

Industrial Espionage: Industrial espionage in the power system industry is becomingmoreofa threatasderegulationandcompetition involvingmillionsofdollarsprovidegrowingincentivesforunauthorizedaccesstoinformationandthepossibledamagingofequipmentfornefariouspurposes.DERsystemsareparticularlyvulnerablesincetheyare usually located in relatively unprotected environments on customer property. Inadditiontofinancialgains,someattackerscouldgainsocio/politicalbenefitsthroughshowinguptheincompetenceorunreliabilityofcompetitors.

Vandalism:Vandalismcandamagefacilitiesandequipmentwithnospecificgaintotheattackersotherthantheactofdoingit,andtheprooftothemselvesandothersthattheycan do it. Often, the vandals are unaware of or do not care about the possibleconsequences of their actions.Again,DER systemsmay be particularly vulnerable tovandalism, partly because of their unprotected environments, but also because theirgenerationcapabilitiescandirectlyaffectthepowergrid,includingcausingoutages.

CyberHackers:Cyberhackersarepeoplewhoseektobreachcybersecurityforgain.Thisgainmaybedirectlymonetary, industrialknowledge,political,social,or just individualchallenge tosee if thehackercangainaccess.Mosthackersuse the Internetas theirprimary gateway to entry, and therefore firewalls, isolation techniques, and other


countermeasures can be used to separateDER systems from the Internet.However,hackersmay initiatemultistageattacks thatuse the internet just tosetupanattack,whiletheactualattackoccursonaDERsystemthatisnotconnectedtotheinternet.DERsystemsmayusetheInternetforsoftwareupdates,thusopeningupachannelforcyberhackers. Individual DER systems are unlikely to be targeted by sophisticated Cyberadversaries (nationstates), however when networked intomicrogrids and at placeswhereDERdataisaggregatedtheycouldbecomesuchtargets.

VirusesandWorms:Likehackers,virusesandworms typicallyattackvia the Internet.However, some viruses andworms canbeembedded in software that is loaded intosystemsthathavebeenisolatedfromtheInternet,orcouldpossiblybetransmittedoversecurecommunicationsfromsomeinsecurelaptoporothersystem.Theycouldincludemaninthemiddleviruses,spywareforcapturingpowersystemdata,andotherTrojanhorses.Afamous(orinfamous)exampleistheStuxnetworm,whichsuccessfullyattackedtheIranianuraniumcentrifuges.DERsystemsareequallyvulnerabletosuchattacks.

Theft:Thefthasastraightforwardpurposetheattackerstakesomething(equipment,data,orknowledge) that theyarenotauthorized to take.Generally, thepurposehasfinancial gain as themotive, althoughothermotives arepossible aswell.Monitoringaccess to locked facilitiesandalarminganomalies in thephysical statusandhealthofequipment(e.g.notrespondingordisconnected)aretheprimarymethodsforalertingpersonnelthattheftispossiblybeingcommitted.

Terrorism: Terrorism is the least likely threat but the onewith possibly the largestconsequencessincetheprimarypurposeofterrorismistoinflictthegreatestdegreeofphysical, financial, and socio/politicaldamage.Monitoring and alarming anomalies toaccess(includingphysicalproximity)tosubstationfacilitiesispossiblythemosteffectivemeans to alert personnel to potential terrorist acts, such as physically blowing up asubstationorotherfacility.However,terroristscouldbecomemoresophisticatedintheiractions,andseektodamagespecificequipmentorrendercriticalequipmentinoperativeinways that couldpotentiallydomoreharm to thepower system at large than justblowing up one substation. Therefore, additional types of monitoring are critical,includingthestatusandhealthofequipment.Thatbeingsaid,theResiliencebenefitsofdistributedgenerationwhichpresentsmanysmalldispersedtargetstotheadversaryshouldnotbeoverlooked.

4.3 Vulnerabilities Engineering and Cyber Vulnerabilities Allsystemshavevulnerabilities.Thekeyrequirementistodevelopcybertechniques,engineeringstrategies,andoperationalstrategiestominimizethelikelihoodofanattack/failureortomitigatethe impactofanattack/failure.There isgenerallynotaonetoonecorrespondencebetweenavulnerability and amitigation technique; oftenmultiplemitigation techniques can be used incombinationtoaddressmultiplevulnerabilities.Layersofmitigationscanprovidedefenseindepthcombinations that increase the strength of these mitigations. For instance, cyber securitytechniquescanhelpdecreasethelikelihoodofaparticularattack/failure,whileengineeringcopingstrategiescanmitigatetheimpactofasuccessfulattackorsystemfailure.


Power System Vulnerabilities and Attacks

Power systemshavebeenvulnerable toequipment failures,operationalmistakes,andnaturaldisasterssincetheywerefirstinvented.Someofthevulnerabilitiesarerelatedtothesoftwareandhardwarethatisusedinthepowersystemequipmentcontrollersandanalysissystems.

Different vulnerabilities can be present in equipment at different stages of its life. Somevulnerabilitiesaffectnewlydevelopedsystems,suchasasoftwarebugcausingincorrectresults.Somevulnerabilitiesbecomemorecriticalovertime,forinstancewhenasystemthathadbeenworkingcorrectlywithsmallnumbersofalarms,isrequiredtohandlelargevolumesofalarmsandnowfailstoprocessthem.Particularlycriticalarethetimeswhensystemsarepatchedorupdated,sincenewvulnerabilities can causeapreviously reliable system to failor tobeopen to cyberattackers.

Someofthecausesofthesetypesofvulnerabilitiesinclude:

Equipmentvulnerabilities:Equipmentfailurescauseimproperoperations.Forinstance,acircuitbreaker fails to tripduringashortcircuitevent,causingpowerequipment tooverloadandburn,andpersonneltobeelectrocuted.

Complexity of analysis: Complexity of analysis of large numbers of DERs providesincorrectresults.Forexample,engineerswhosetprotectiverelayparametershavenottaken intoaccount certain typesof contingencies, so thatoneevent causesa secondevent,andcausesacascadingfailureofthepowersystem,resultinginmajoroutages.

Lackofstandardizedoperatingprocedures:Lackofstandardizedoperatingprocedurescauses misunderstandings and results in incorrect actions, incorrect responses tosituations,andconfusionduringemergencies.

Incorrect settings: Incorrect settings cause incorrect responses to power systemsituations. For instance, DER systems have not included appropriate voltage andfrequency ridethroughsettings,which results innumerousoutageswhenevervoltageandfrequencyfluctuationsoccurduetostormsorrapidchangesinsunlightorwind.

Inabilitytodetectlossofgridpower:TheinabilityofDERsystemstodetectthelossofgrid power causes safety concerns as well as uncertainty and delay in addressingemergencysituations.Forexample,DERsystemswhicharesupposedtodisconnectuponthe loss of the grid power, do not disconnect because their traditional antiislandingmethodsfailtodetectthelossofpowerduetomaskingbyotherDERsystemsortheirownsmartDERvoltvarfunctions,causingsafetyproblemsandequipmentdamage.

Inadequate analysis capabilities: Inadequate analysis capabilities of softwareapplications results in sending invalid pricing signals, control settings, and controlcommandstoDERsystems.Forinstance,inadequateanalysisofthelocationandamountofDERgenerationcausesoverorundervoltageorfrequencyeventsandresultsinlargescaleoutages.

Inadequatepersonneltraining:Inadequatepersonneltrainingresultsinpoorjudgmentonactions.Forexample,inadequatelytrainedcrewsfailtodisconnectDERsystemsduring


systemmaintenanceactivities,or inadequatelytrained fireandpoliceonhowtocopewithDERsystems,leadingtosafetyproblemsandoutages.

Manipulatedormistakenmarketprices:Manipulatedormistakenmarketpricesresultinuneconomicalorunfairactions.Forinstance,marketpricingsignalscallfordecreasedgenerationwhenactuallymoregeneration isneeded, leadingtohigherpricesforspotgenerationorevenoutages.

Inadequately structured authority hierarchy: Inadequately structured authority orcontractualhierarchycausesconfusionduringemergencies.Forexample,aDERoperatorignoresutilitysetlimitsandgeneratesmorethantheutilitycircuitcanhandle,damagingsubstationequipmentandcausingoutages.

Degradationinanalysisaccuracy:Degradationovertimeinanalysisaccuracyduetotherapid growth and resulting increasingly complex interactions between DER systems,causesincreasingreliabilityandpowerqualityproblems.Forinstance,DERsystemsareexpanding rapidly in theirnumberand typesofdeployments, resulting in increasinglycomplexinteractionsbetweenthemandalsobetweentheseDERsystemsandothergridequipment,leadingtoincorrectsettingsandnonoptimalactionsbyoperators.

IncompletetestingofcomplexintelligentDERsystems:MultipleDERsystems,eachwithcomplex intelligent behavior, cause unsafe or unexpected actions because theircomplexity inhibits the testingofallpossiblecombinationsof situations.For instance,intelligentDERsystemscapableofundertakingmanynewfunctionalities,tendtohavemoredesignandoperationalerrorsbecausedevelopmentismorecomplexandtestingjust cannot cover all possible types of interactions. Often there are unintendedconsequences toactions incomplexenvironments thatmaynotbeevident insimplerenvironments.

Inadequately specified requirements: Inadequately specified requirements for DERsystems cause unsafe or unexpected actions, because the systems that are notwellunderstood can lead to errors in development and performance. For instance, therequirements for managing high penetrations of DER systems in coordination withexistingdistributionequipmentarestillunderextensivestudy.

Mismatched assumptionsbetweenorganizations:Mismatched assumptionsbetweenorganizationsresult inconfusedor incorrectactions. For instance, ifoneorganizationusesencryptiontechniquesorsomesettingsnotsupportedbyanotherorganization,thentheexpectedinteractionswillnottakeplace.

Lackof confidence in analysis results: Lackof confidence in analysis results in slowresponses to problems. For example, some power flow studies or DER generationforecastsorothercomplexanalysesmaynotbe trustedbyoperators,possiblydue toprevious failures or inexperience with the type of analysis, leading to personnelrespondingslowlyortakingincorrectactions.

Inadequatechangemanagementprocedures: Inadequatechangemanagementcausesdecisions to bemade on inaccurate data. For example, inadequatemanagement of


changestosystems,whichshould includepretestingofthechangesandtheabilitytorestoreapreviousversionifthechangedsystemfailstooperatecorrectly,couldcausefailuresandincorrectresults.

Powersystemsarenowvulnerabletoproblemsactuallycausedbycybersecuritytechnologies.Theseinclude:

DenialofService:DERsystemsloseaccesstothirdpartycryptographickeyauthenticationandupdateservers,causingcommunicationswiththeutilitytobedenied.Orencryptedmessages increasethetrafficonacommunicationschanneltothepointwhereahighprioritymessagecannotgetthroughinatimelymanner,causinganoutage.

Inadequately protected backdoor access: A vendor of a DER system performsmaintenanceusingabackdoorport,thenleavesthisportopen.Anattackerusesthisport which has complete access to the DER software since it is assumed that nounauthorizedaccesscouldbepossiblethroughthisnormallydeactivatedport.

Poormanagementofpasswords:Apowersystemeventoccursbuttheutilityoperatordoesnothave(remember)therightpasswordtoundertakeacriticalDERoperationtopreventacascadingfailure.

Poor securitymaintenance: A certificate or secret key expires before a new one isactivated, causing equipment to shut down or cease to respond to communicationcommands.

Inadequatesecuritytraining:Frustratedmaintenancepersonnelwhocannotrememberlarge numbers of passwords, use the same password for all equipment.When theirpassword is compromised by an attacker, that attacker can now access all of thatequipmentwhichwasassumedtobecybersecure.

Inadequate retestingprocedures:Securitypersonnelmaintainsecureaccess tosomecriticalequipment,butmisunderstandordonotproperlytestarequesttoupdatethesecurityofthesoftwareandcausetheequipmenttolockout.

Security management failures: Inadequate security management may allowunauthorizedpersonneltolearnpasswordsorothersensitivematerial.

Cyber Security Vulnerabilities and Attacks Thethreatscanberealizedbymanydifferenttypesofattacks,someofwhichare illustrated inFigure 5. Often an attack takes advantage of a vulnerability, which may be due to humancarelessness,aninadequatelydesignedsystem,orcircumstancessuchasamajorstorm.Ascanbeseen, the same typeofattack canoftenbe involved indifferent security threats.Thiswebofpotential attacksmeans that there is not just onemethod ofmeeting a particular securityrequirement:eachofthetypesofattacksthatpresentaspecificthreatneedstobecountered.

Althoughimportanceofspecificcyberthreatscanvarygreatlydependingupontheassetsbeingsecured,someofthemorecommonhumanandsystemvulnerabilitiesthatenableattacksare:

Lackofsecurity:Security,evenifitexists,isneverturnedon.


Indiscretionsbypersonnel:Employeeswritedowntheirusernameandpasswordsandplacethemintheirdeskdrawer.

Simpleoreasytoguesspasswords:Employeesuseshortalphaonlypasswordsorusetheirdogsnameand/ortheirbirthdayastheirpassword.

Socialengineering:Anattackerusespersonalinformationorsubterfugetolearnauserspassword,suchaspretendingtobefromabankorleaningoversomeonesshoulderastheytypetheirpassword.

Bypasscontrols:Employeesturnoffsecuritymeasures,donotchangedefaultpasswords,oreveryoneusesthesamepasswordtoaccessallsubstationequipment.Orasoftwareapplicationisassumedtobeinasecureenvironment,sodoesnotauthenticateitsactions.

Integrityviolation:Dataismodifiedwithoutadequatevalidation,suchthatthemodifieddata causes equipment to malfunction or allows access to unauthorized users orapplications.

Softwareupdatesandpatches:The software isupdatedwithoutadequate testingorvalidationsuchthatworms,viruses,andTrojanHorsesareallowedintootherwisesecuresystems.Alternatively,securitypatchesneededtofixvulnerabilitiesarenotapplied.

Lack of trust: Different organizations have different security requirements and usedifferentcybersecuritystandards.

Somecommontypesofattacksinclude:

Eavesdropping:ahackerlistenstoconfidentialorprivatedataasitistransmitted,thusstealingtheinformation.Thisistypicallyusedtoaccessintellectualproperty,marketandfinancialdata,personneldata,andothersensitiveinformation.

Masquerade:ahackerusessomeoneelsescredentialstopretendtobeanauthorizeduser,andthusabletostealinformation,takeunauthorizedactions,andpossiblyplantmalware.

Maninthemiddle:agateway,dataserver,communicationschannel,orothernonendequipmentiscompromised,sothedatathatissupposedtoflowthroughthismiddlenodeisreadormodifiedbeforeitissentonitsway.

Resource exhaustion: equipment is inadvertently (or deliberately) overloaded andcannotthereforeperform its functions.Oracertificateexpiresandpreventsaccesstoequipment.Thisdenialofservicecanseriouslyimpactapowersystemoperatortryingtocontrolthepowersystem.

Replay:acommandbeingsentfromonesystemtoanotheriscopiedbyanattacker.Thiscommand is thenusedat someother time to further theattackerspurpose, suchastrippingabreakerorlimitinggenerationoutput.

Trojanhorse:theattackeraddsmalwaretoasystem,possiblyaspartofan innocentappearingenhancementorapplication,andpossiblyduringthesupplychain(e.g.duringcomponentmanufacturingorsystemintegrationorshippingorduringinstallation).This


malwaredoesnothinguntilsomecircumstancelocallyorremotelytriggersittocauseanunauthorizedaction.

Figure5:SecurityRequirements,Threats,andPossibleAttacks

4.4 Risk Management and Mitigation Techniques

Risk Handling The riskassociatedwithan attackor failure is the combinationof the likelihoodof theevent(includingthecosttotheattackertoundertaketheattack)withtheprobableimpactofasuccessfulattackorfailure.Riskscanbehandledindifferentways:

The riskcanbeaccepted (ignored)because theexpected likelihoodand impactofaneventdoesnotappeartobeworththecostof implementingmitigationmeasures.Forinstance,requiringredundantcommunicationstoallDERsystemswouldmostlikelynotbeworththecostofimplementingsuchredundancy.

Theriskcanbeshared,forinstancebypayinganinsurancecompanytotakeontherisk.This approach isoftenused forprotection against the lossofphysical assets such asbuildingsandthephysicalDERequipment.

Theriskcanbetransferred,forinstancebycontractingathirdpartytotakeresponsibilityforoperatingandmaintainingDERsystems.

Theriskcanbemitigatedtodifferentlevels.Forinstance,someDERsystemsmayrequireonly the use of username/password for access control protection, while other DER

Atta

cks

Thre

ats

Atta

cks

Thre

ats


systemsmayrequiretwopartyauthenticationandcryptographiccertificateverificationforanyaccess.

Riskmitigationusually implies costs.Thesemitigation costs can range fromminimal to totallyimpractical.Therefore, riskmanagement is theartand scienceofbalancing the likelihoodandimpactofaneventagainstthemitigationcost.RiskassessmentmethodologiesarecoveredindetailinNISTSpecialPublication(SP)80030,GuideforConductingRiskAssessments.

Risk Mitigation Categories Mitigationsagainsttheeffectsofattacksandfailuresareoftendescribedashavingeightcategories.Associated security countermeasures can mitigate one or more of these purposes; thesemitigationsareillustratedinTable1:

Preventionofattack,by takingactivemeasures thatare ineffectatall timesandaredesigned to prevent a failure or attack. These usually are engineering designs andprocedures,aswellascybersecuritydesignandarchitecturemeasures.

Deterrencetoafailureorattack,totrytomakefailuresandattackslesslikely,oratleastdelaythemlongenoughforcounteractionstobeundertaken.

Detectionofafailureorattack,tonotifytheappropriatepersonorsystemsthatanattackor failureevent tookplace.Thisnotificationcouldalso includeattemptsatattacksorfailuresthatselfhealed.Detectioniscrucialtoanyothersecuritymeasuressinceifanattack isnot recognized, little canbedone toprevent it.Monitoringof systems andcommunicationsiscritical,whileintrusiondetectioncapabilitiescanplayalargeroleinthiseffort.

Assessmentofafailureorattack,todeterminethenatureandseverityoftheattack.Forinstance,istheentryofanumberofwrongpasswordsjustsomeoneforgettingorisitadeliberateattemptbyanattackertoguesssomelikelypasswords.

Responsetoafailureorattack,whichincludesactionsbytheappropriateauthoritiesandcomputersystems tostop thespreadof theattackor failure ina timelymanner.Thisresponsecanthendeterordelayasubsequentattackorfailure,ormitigatetheimpactofcascadingfailuresorattacks.

Copingduringafailureorattack,whichincludesinitiatingadditionalactivitiestomitigatethe impacts,suchasperformingswitchingoperationsto improvetheResilienceofthepower system, sending crews to failure sites, requiring increased authenticationmeasures for any interactions with compromised systems, and gracefully degradingperformanceasnecessary.

Resilience during failure or attack, which involves sustaining minimum essentialoperationsduringattackdespitesystemcompromiseandsomeoperationaldegradation.

Recoveryfromafailureorattack,whichincludesrestorationtonormaloperationsafterafailurehasbecorrected,requiringfullvirusandvalidationscansofaffectedsystems,orchangingpasswordsforaffectedsystems.


Auditandlegalreactionstoafailureorattack,whichcouldincludeanalyzingauditlogs,assessing the nature and consequences of the event, performing additional riskassessments,andevenpursuinglitigationagainstthoseresponsiblefortheevent.


Table1:MitigationCategoriesforCyberPhysicalSystems

Category Description PowerEngineeringExamples CyberExamples

ProtectionandDeterrenceBeforeFailureorAttack

Preparationandprotectionagainstafailureorattack

Activemeasuresusedinnormalcircumstancesthataredesignedtopreventanattack

Erectsubstationfences;Limitaccesstocontrolcenter;Specifyrobust,hardenedequipmentDesignthepowersystemwithadequateflexibilitytohandleanomaloussituations;Deployredundantequipment;Establishdefaultsystemsettingstofailures;Establishautonomousmodesofoperationincaseoflackorlossofcommunications;Performcontingencyanalysisstudiesonpowersystemconditions;Designcommunicationnetworkstobeisolatedfromeachother;Trainpersonneladequately

Designsystemsandapplicationstohandleanomaloussituations;Testallsoftwareapplicationsforbothnormaloperationsandanomaloussituations;Validatedataentry;Requiremessageauthentication;Requirestrongpasswords;Userolebasedaccesscontrol;Encryptconfidentialmessages;Disableunneededports/services;Requirenonrepudiationmethods;Validatepatchesbeforeimplementingthem;

Deterrencetoafailureorattack

Preparingforapossiblefailureordiscouragingsomeonefromengaginginanattack

Developemergencyoperationsplansandprocedures;Testemergencyplansperiodically;Displaysignsindicatingdangerorprivateproperty;Warnoflegalactions;DeployCCTVcameras;Changesystemsettingsforstormsorothernaturaldisasters;Testnewsoftwareandsystems;Assesspotentialfailureimpactsofalladditionstothepowersystem

Developemergencyplansfornetworkfailures;Displaywarningswhenapplicationsordataaremodified;Requirelegalacceptancewheninstallingsoftware


Category Description PowerEngineeringExamples CyberExamples

Detection,Assessment,Response,andCopingDuringFailureorAttack

Detectionofafailureorattack

Identifyingafailureorattackandnotifyingappropriateentities

Monitorpowersystemstatusandmeasurements;entereventsineventlog;alarmoperators;initiatecellphonecalltoondutyperson;providequalityflagsformonitoreddata

Detectintrusions;checksignatures;scanforviruses;monitornetworkconfigurations;alarmsecuritypersonnel

Assessmentofafailureorattack

Assessandcategorizetheseverityofafailureorattack,usingtriageconcepts

Initiatedynamicresponsetopowersystemconditions;usepowerflowcontingencyanalysistodeterminechangesinpowersystemresilience;runequipmentdiagnostictests

Determinethesecurityleveloftheattackstarget;determinethenumberofsimultaneousattacks;determinethetypeofattack

Responsetoafailureorattack

Stoppingthespreadofthefailureorattackbyusingemergencymeasures

InitiateemergencyfunctionssuchasDERridethrough;tripbreakers;shedload;increasegeneration;isolatemicrogrids;switchtodifferentequipmentsettings

Shutdownnetwork;turnoffcomputer;isolatenetwork

Copingduringafailureorattack

Initiatingadditionalactivitiestomitigatetheimpact

Switchtobackupsystems;reconfigurefeeders;startadditionalgeneration;managemicrogrids

Startmanualactivitiestoreplaceautomatedactivities

Resilienceduringafailureorattack

Sustainingminimumessentialoperationsdespitethefailureorattack,preparingforcontinuingattacks

Protectagainstcascadingfailures,suchasshorttermvoltageanomaliestriggeringDERsystemstodisconnectandcausingunnecessaryoutages,degradingperformanceasnecessary

Ensuringthatsystemsprovidingessentialservicesremainoperationalsolongastheyarenotdirectlyaffectedbythefailureorattack

RecoveryandAnalysisAfterFailureorAttack

Recoveryfromafailureorattack

Restoringtonormaloperationsafterafailurehasbecorrectedoranattackhasbeenstopped

Testallfailedorcompromisedpowerequipment;restorepower;switchtoprimarysystems;reestablishnormalsettingsandmodes;returntonormaloperations

Testallsystemsandnetworks;reconnectisolatednetworksandsystems;

Analysisofcausesandassessmentofcopingresponse

Analysisandassessmentofthenatureandconsequencesofafailureorattack

Analyzeauditlogsandotherrecords;changeproceduresforhandlingsimilarevents;provideadditionaltrainingforsuchevents;

Debriefandpostmortemanalysis;systemreconfiguration;policychanges


5 CYBER SECURITY RECOMMENDATIONS METHODOLOGY

The cyber security recommendations in this document are based on a methodology thatcombinesempiricalmethods and anumerical scoringbased approach, sinceneithermethodalonehasbeenproventoyieldcompletelyexhaustiveresults.Threatanalysis,functionalscoring,bestpractices,andpracticalconsiderationswereallconsideredduringthedevelopmentoftherecommendations.

5.1 Methodology Overview

At itscore,themethodologyused inthedevelopmentoftherecommendationsanalyzesDERinverterfunctionstodeterminethetypesofthreats,thelikelihood(risk)ofthosethreatsbeingrealized, and the cost (financial,privacy, and societal)of thepossible impactof a successfulattack.Theriskmultipliedbytheimpactisthenweighedagainstthedifferenttypesandlevelsofpossiblecybersecuritymeasures,recognizingthatthelikelihoodofcertainattacksisasubjectiveassessmentandsomeimpactsmaynotbequantifiable.

However,byinvestigatingthefunctionsandcapabilitiesoftheDistributedEnergyResource(DER)inverters themselves, the team was able to assess the types of cyber security measurescommensurate to the criticality of each function. Themethodology followed the followinggeneralprocess:

1. PerformthreatanalysisonresidentialinverterbasedDERsystemstoidentifythreatsandvulnerabilities.

2. EnumeratepotentialinverterbasedDERfunctions,sinceattacksondifferentfunctionscouldhavedifferentimpacts.

3. Score each DER function (High, Medium, or Low) on the merits of confidentiality,integrity,availability,authentication,authorization,andaccountability.

4. Combine DER scoring metrics, threat data, industry standards, and practicalrequirements to develop general, highlevel cyber security recommendations forresidentialinverterbasedDERsystems.

DERfunctionscoringwasrepeatedforeachofthethreeDERinvertercommunicationinterfacesidentifiedinthescope,includingcommunicationsbetween:

Utilityandthecommunicationmodule

Aggregator/vendorandthecommunicationmodule

ThecommunicationmoduleandtheDERinverteritself

This separationensured any variances in requirementsdue todifferences in communicationendpointswereidentified.


5.2 Inverter Functions

TheDERfunctionsusedinthescoringwerederivedfromtheIEC61850907standardandtheSmartInverterWorkingGroup(SIWG)Phase1andPhase3functions,whichwerebasedonandextensionstotheIEC61850907functions.ThelistofDERfunctionsisenumeratedinTable2below.

Table2:DERInverterFunctionList

SIWG/IECFunction Description

AntiIslandingProtection(AI)

TheDERsystemtripsoffifvoltageorfrequencylimitsareexceededoverspecifiedtimeperiods.Althoughdefaulttripofflimitssettingswouldbeimplementedinitially,thesesettingscouldbemodifiablethroughagreementbetweentheAreaEPSandtheDERoperator.

Low/HighVoltageRidethrough(L/HVRT)

TheDERsystemremainsconnectedduringvoltageexcursionsbeyondnormallimits,basedonextendedvoltagelimitsduringspecifiedtimewindows.TheDERsystemwoulddisconnectonlywhentheridethroughwindowhasexpired.Althoughdefaultridethroughsettingswouldbeimplementedinitially,thesesettingscouldbemodifiablethroughagreementbetweentheAreaEPSandtheDERoperator,basedonthetechnicalcapabilitiesoftheDERsystemandusedtopossiblymitigateabruptlossesofgeneration.

Low/HighFrequencyRidethrough(L/HFRT)

TheDERsystemremainsconnectedduringfrequencyexcursionsbeyondnormallimits,basedonextendedfrequencylimitsduringspecifiedtimewindows.TheDERsystemwoulddisconnectonlywhentheridethroughwindowhasexpired.Althoughdefaultridethroughsettingswouldbeimplementedinitially,thesesettingscouldbemodifiablethroughagreementbetweentheAreaEPSandtheDERoperator,basedonthetechnicalcapabilitiesoftheDERsystemandusedtopossiblymitigateabruptlossesofgeneration.

VoltVarModewithWattPriority

TheDERsystemimplementsvolt/varcurvesthatdefinetheavailablereactivepowerrequiredatdifferentvoltagelevels.SettingsarecoordinatedbetweentheutilityandDERoperator.Availablereactivepowerisdefinedaswhatreactivepowerisavailablewithoutdecreasingrealpoweroutput.

DERcontrollercontainspreestablishedvolt/varsettings,and/or Volt/varsettingscanbeupdatedremotely

RampRatesThedefaultramprateisestablished,contingentuponwhattheDERcando.Additionalemergencyrampratesandhigh/lowrampratelimitsmayalsobedefined.

FixedPowerFactorTheDERsystemsetstheinvertertothespecifiedpowerfactorsetting:

DERcontrollercontainspreestablishedpowerfactorsetting,and/or Powerfactorsettingcanbeupdatedremotely

SoftStart

TheDERsystemreconnectstothegridafterpowerisrestoredusingsoftstartmethodssuchasrampingupand/orrandomlyturningonwithinatimewindowaftergridpowerisrestored,toavoidabruptincreasesingeneration.Thedelaytimebetweenpowerrestorationandthestartofreconnectionispreset,asaretherampingrateandthetimewindow.



CommunicationInterface

Standardinterfacescanconnecttodifferentwiredand/orwirelessmedia.Thesemediacouldincludeutilitywirelesssystems,cellphoneGPRS,customerWiFinetwork,andtheInternet.Utilitieswouldspecifywhichcommunicationinterfacemodulesarerequiredforspecificimplementations.

TransportProtocols BasicInternettransportlayerstandardsofTCP/IP,inparticularanIPaddress.

DataModel AbstractinformationmodelsforDERsystemsshouldusetheIEC618507420andIEC61850907forDERsystems.

MappingtoApplicationProtocols

DERsystemsshouldsupporttheabilitytomaptheabstractIEC61850informationmodeltostandardprotocols,suchasModBus,DNP3(IEEE1815),IEC61850(MMS),IEEE2030.5,etc.ThedefaultprotocolforcommunicationswithautilityisDNP3(IEEE1815:2012)althoughothermutuallyagreedtoprotocolscouldbeused.Theutilityprotocolmaybeusedbetweenafacilitygatewayandtheutility,whilethecommunicationsbetweenthefacilitygatewayandtheDERsystemsmayuseotherprotocols.ThisgatewaymaybeprovidedbytheDERownerorbytheutility,reflectingthemosteconomicalarrangement.

TransportCyberSecurity Cybersecurityatthetransportlayershouldbeprovided,suchasTransportLayerSecurity(TLS)orIEEE802.11i.

UserCyberSecurity

Cybersecurityforuseranddeviceidentificationandauthenticationshouldbeprovided,basedonuserpasswords,devicesecuritycertificates,androlebasedaccesscontrol.Confidentialityisoptional.PublicKeyInfrastructure(PKI)couldbeusedforkeymanagement.

MonitorAlarmsTheDERsystem(andaggregationsofDERsystems,suchasvirtualpowerplants)providesalarmsandsupportingemergencyinformationviatheFDEMStotheutility.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.

MonitorDERStatusandOutput

TheDERsystem(andaggregationsofDERsystems,suchasvirtualpowerplants)providescurrentstatus,powersystemmeasurements,andotherrealtimedata(possiblyaggregatedviatheFDEMS)totheutility,inordertosupportrealtimeandshorttermanalysisapplications.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.(Revenuemeteringdataisprovidedviaalternatemeans.)

LimitMaximumRealPower

TheutilityissuesadirectcommandtolimitthemaximumrealpoweroutputattheECPorPCC.ThereasonmightbethatunusualoremergencyconditionsarecausingreverseflowintothefeederssubstationorbecausethetotalDERrealpoweroutputonthefeederisgreaterthansomepercentageoftotalload.ThecommandmightbeanabsolutewattvalueormightbeapercentageofIDERoutput.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.ItmightalsobeusedtoensurefairnessacrossmanyDERsystems.

Connect/Disconnect

TheDERsystemperformsadisconnectorreconnectattheECPorPCC.TimewindowsareestablishedfordifferentDERsystemstorespondrandomlywithinthatwindowtothedisconnectandreconnectcommands.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.

ProvideDERInformationatInterconnection/Startup

TheDERsystemprovidesoperationalcharacteristicsafteritsdiscoveryandwheneverchangesaremadetoitsoperationalstatus.

InitiatePeriodicTestsofSoftwareandPatches

InitialDERsoftwareinstallationsandlaterupdatesaretestedbeforedeploymentforfunctionalityandformeetingregulatoryandutilityrequirements,including


SIWG/IECFunction Descriptionsafety.Afterdeployment,testingvalidatestheIDERsystemsareoperatingcorrectly,safely,andsecurely.

ScheduleOutputLimitsatPCC

Theutilityestablishes(orpreestablishes)aschedule(e.g.onpeak&offpeak)ofactualormaximumrealpoweroutputlevelsattheECPorPCC,possiblycombininggeneration,storage,andloadmanagement.Thereasonmightbetominimizeoutputduringlowloadconditionswhileallowingorrequiringhigheroutputduringpeakloadtimeperiods.

ScheduleDERFunctionsTheDERsystemreceivesandfollowsschedulesforrealpowersettings,reactivesettings,limits,modes(suchasautonomousvolt/var,frequencywatt),andotheroperationalsettings.

ScheduleStorage

ForaDERsystemthathasstoragecapabilities,suchasbatterystorageoracombinedPV+storagesystemorafleetofelectricvehicles.Presettimeofchargevaluescanbeestablished.SettingsarecoordinatedbetweentheutilityandDERoperator.Differentscenarioscouldinclude:

Lowloadconditionsatnightarecausingsomerenewableenergytobewasted,sochargingenergystorageDERsystemsatthattimemakespowersystemoperationsmoreefficient.

DERcontrollerchargesatthespecifiedrate(lessthanorequaltothemaximumchargingrate)untilthestateofcharge(SOC)reachesaspecifiedlevel.

DERcontrollerchargesatthenecessaryrateinordertoreachthespecifiedSOCwithinthechargebytime.

FrequencyWattMode

TheDERsystemreducesrealpowertocounteractfrequencyexcursionsbeyondnormallimits(andviceversaifadditionalgenerationorstorageisavailable),particularlyformicrogrids.HysteresiscanbeusedasthefrequencyreturnswithinthenormalrangetoavoidabruptchangesbygroupsofDERsystems.

VoltageWattMode

TheDERsystemmonitorsthelocal(orfeeder)voltageandmodifiesrealpoweroutputinordertodampvoltagedeviations.SettingsarecoordinatedbetweentheutilityandDERoperator.Hysteresisanddelayedresponsescouldbeusedtoensureoverreactionsorhuntingdonotoccur.

DynamicCurrentSupport

TheDERsystemcounteractsvoltageanomalies(spikesorsags)throughdynamiccurrentsupport.TheDERsystemsupportsthegridduringshortperiodsofabnormallyhighorlowvoltagelevelsbyfeedingreactivecurrenttothegriduntilthevoltageeitherreturnswithinitsnormalrange,ortheDERsystemrampsdown,ortheDERsystemisrequiredtodisconnect.

LimitMaximumRealPower

DERsystemsareinterconnectedtothegridwithapresetlimitofrealpoweroutputtobemeasuredatthePCC.ThereasonmightbethattheIDERsystemissizedtohandlemostofthelocalloadbehindanECPorthePCC,butoccasionallythatloaddecreasesbelowacriticallevelandtheincreasedrealpowerattheECPorPCCmaycausebackflowatthesubstationandbeareliabilityconcernfortheutility.MostlikelyforlargerDERsystems.

SetRealPower

TheutilityeitherpresetsorissuesadirectcommandtosettheactualrealpoweroutputattheECPorPCC(constantexport/importifloadchanges;constantwattsifnoload).Thereasonmightbetoestablishabaseorknowngenerationlevelwithouttheneedforconstantmonitoring.Thisistheapproachoftenusedtodaywithsynchronousgenerators.ThisfunctionisfeasibleonlyiftheICT


SIWG/IECFunction Descriptioninfrastructureisavailable.Meterreadscouldprovide15minuteenergybytheendofthedaycouldprovideproductioninformationforoperationalplanning.

SmoothFrequencyDeviations

TheDERsystemmodifiesrealpoweroutputrapidlytocounterminorfrequencydeviations.Thefrequencywattsettingsdefinethepercentageofrealpoweroutputtomodifyfordifferentdegreesoffrequencydeviationsonasecondorevensubsecondbasis

BackupPowerTheDERsystem,includingenergystorageandelectricvehicles,hastheabilitytoproviderealpowerwhenthesiteisdisconnectedfromgridpower.Thereasonisforprovidingbackuppowertothefacilityandpossiblyblackstartcapabilities.

ImitateCapacitorBankTriggers

Similartocapacitorbanksondistributioncircuits,theDERsystemimplementstemperaturevarcurvesthatdefinethereactivepowerfordifferentambienttemperatures,similartouseoffeedercapacitorsforimprovingthevoltageprofile.Curvescouldalsobedefinedforcurrentvarandfortimeofdayvar.

OperatewithinanIslandedMicrogrid

Aftergridpowerislostordisconnected,oruponcommand,theDERsystementersintomicrogridmodeaseitherleadingorfollowingthemicrogridfrequencyandvoltage,whileactingeitherasbasegenerationorasloadmatching,dependinguponpresetparameters.

ProvideLowCostEnergy

Utility,REP,orFDEMSdetermineswhichIDERsystemsaretogeneratehowmuchenergyoverwhattimeperiodinordertominimizeenergycosts.SomeDERsystems,suchasPVsystems,wouldprovidelowcostenergyautonomously,whilestoragesystemswouldneedtobemanaged.

ProvideLowEmissionsEnergy

Utility,REP,orFDEMSdetermineswhichnonrenewableDERsystemsaretogeneratehowmuchenergyinordertominimizeemissions.RenewableDERsystemswouldoperateautonomously.

ProvideRenewableEnergyUtility,REP,orFDEMSselectswhichnonrenewableDERsystemsaretogeneratehowmuchenergyinordertomaximizetheuseofrenewableenergy.RenewableDERsystemswouldoperateautonomously.

ExecuteSchedules

TheFDEMSprovidesscheduled,planned,and/orforecastinformationforavailableenergyandancillaryservicesoverthenexthours,days,weeks,etc.,forinputintoplanningapplications.SeparateDERgenerationfromloadbehindthePCC.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.

IssueGenerationandStorageSchedules

TheDERsystemprovidesschedulesofexpectedgenerationandstoragereflectingcustomerrequirements,maintenance,localweatherforecasts,etc.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.

ProvideBlackStartCapabilities

TheDERsystemoperatesasamicrogrid(possiblyjustitself)andsupportsadditionalloadsbeingadded,solongastheyarewithinitsgenerationcapabilities.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.

ParticipateinAutomaticGenerationControl

TheDERsystem(oraggregationsofDERsystems)implementsmodificationofrealpoweroutputbasedonAGCsignalsonamultisecondbasis.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.



ProvideSpinningorOperationalReserve

TheDERsystemprovidesemergencyrealpoweruponcommandatshortnotice(secondsorminutes),eitherthroughincreasinggenerationordischargingstoragedevices.Thisfunctionwouldbeinresponsetomarketbidsforprovidingthisreserve.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.

RealPowerResponsetoDemandResponsePriceSignals

TheDERsystemreceivesademandresponse(DR)pricingsignalfromautilityorretailenergyprovider(REP)foratimeperiodinthefutureanddetermineswhatrealpowertooutputatthattime.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.

ManageAncillaryServiceResponsetoDemandResponseSignals

TheDERsystemreceivesaDRpricingsignalfromautilityorretailenergyprovider(REP)foratimeperiodinthefutureanddetermineswhatancillaryservicestoprovideatthattime.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.

Registration(AutomatedDERDiscovery)

TheDERsystemsupportsitsautomateddiscoveryasinterconnectedtoalocationonthepowersystemandinitiatestheintegrationprocess.ThisfunctionisfeasibleonlyiftheICTinfrastructureisavailable.Otherwise,manualmethodsmustbeused.

PV/StorageFunctions Changethesignalparametersforthestoragesystem

VoltVarmode ProvidemaximumvarsconstrainedbyWMax

Temperaturemodebehavior

Temperaturebasedcurves

Pricingsignalmodebehavior

Modecurvesbasedonutilitysignal(pricinginformation???doublecheck)

Event/HistoryLogging Requesteventlogs

TimeSynchronization Setinvertertime(manual/automatedbasedontimingsignals[GPSornetwork])

5.3 Security Assessment

AssessingthesecurityofeachDERinverterfunctionwasbasedonsixdifferentitems.Thefirstthreeitemsaresecurityobjectivesandthesecondthreearesecurityrequirements:

Confidentiality:Imposingauthorizedrestrictionsoninformationaccessanddisclosure,includingmeansforprotectingpersonalprivacyandproprietaryinformation.

Integrity:Preventingimproperinformationmodification,destruction,ortheft.

Availability:EnsuringtimelyandreliableaccesstoinverterbasedDERsandensuringtheirabilitytoperformasrequired.

Authentication:Awayofverifyingtheidentityofusersanddevicestoensuretheuserordeviceiswhoorwhatitisdeclaredtobe.

Authorization:Grantingpermissionforperformingspecifictaskswithadevice.

NonRepudiation:Preventingthedenialofanactionthattookplaceortheclaimofanactionthatdidnottakeplace(notetoincludeauditinginhereaswell).


Thetraditionalinformationsecurityobjectivesofconfidentiality,integrity,andavailabilityformthebasisoftheanalysis;however,theadditionalrequirementsofauthentication,authorization,andnonrepudiationwereaddedtoenablemoregranularityandemphasisonspecificsecurityissues.EachsecurityobjectivewasgivenavalueofHigh,Moderate,orLowforeveryDERinverterfunction.ThevaluesarebasedontheHigh,Moderate,andLowdefinitionsarelooselybasedontheFederalInformationProcessingStandards(FIPS)Publication199:

Low: The lossofconfidentiality, integrity,availability,authentication,authorization,ornonrepudiationcouldbeexpected tohavea limitedadverseeffectonorganizationaloperation,organizationalassets,orindividuals.

AMPLIFICATION: A limited adverse effect means that, for example, the loss ofconfidentiality, integrity,availability,authentication,authorization,ornonrepudiationmight: (i)causeadegradation inmissioncapabilitytoanextentanddurationthattheorganizationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsisnoticeablyreduced;(ii)result inminordamagetoorganizationalassets;(iii)result inminorfinancialloss;or(iv)resultinminorharmtoindividuals.

Moderate:Thelossofconfidentiality,integrity,availability,authentication,authorization,ornonrepudiationcouldbeexpectedtohaveseriousadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

AMPLIFICATION: A serious adverse effect means that, for example, the loss ofconfidentiality, integrity,availability,authentication,authorization,ornonrepudiationmight:(i)causeasignificantdegradationinmissioncapabilitytoanextentanddurationthattheorganizationisabletoperformitsprimaryfunctions,buttheeffectivenessofthefunctionsissignificantlyreduced;(ii)resultinsignificantdamagetoorganizationalassets;(iii)resultinsignificantfinancialloss;or(iv)resultinsignificantharmtoindividualsthatdoesnotinvolvelossoflifeorseriouslifethreateninginjuries.

High:The lossofconfidentiality, integrity,availability,authentication,authorization,ornonrepudiationcouldbeexpectedtohavecatastrophicadverseeffectonorganizationaloperations,organizationalassets,orindividuals.

AMPLIFICATION:Asevereorcatastrophicadverseeffectmeansthat,forexample,thelossofconfidentiality,integrity,availability,authentication,authorization,ornonrepudiationmight: (i)causea severedegradation inor lossofmissioncapability toanextentanddurationthattheorganizationisnotabletoperformoneormoreofitsprimaryfunctions;(ii)resultinmajordamagetoorganizationalassets;(iii)resultinmajorfinancialloss;or(iv)resultinsevereorcatastrophicharmtoindividualsinvolvinglossoflifeorseriouslifethreateninginjuries.

EachDERinverterfunctionvaluewasassignedcollectivelybytheCSIRD&DSolicitation#4cyberworkinggroup.


5.4 Inclusion of Threat

Threatandvulnerabilityanalysiswasusedasa feedback loop into theDER function scoring.Relevantthreatsandvulnerabilitiesweremappedtoeachfunctionandincludedinthedecisionmakingprocessofthescoring.DetailedthreatanalysiscanbefoundinSection4.

5.5 Analysis

ThecybersecurityworkinggroupresultsforallthreeresidentialDERcommunicationinterfacescanbefoundinAppendixA.Thevaluesgenerallyindicatethat:

Authenticationandintegrityofdataarethemostimportantcybersecurityrequirements,andwereassessed tobecritical forall typesof interactions, includingmonitoringandcontrolcommands,toensurethatthedataexchangedcomesfromknownsourcesandhasnotbeenmodifiedintransit.

Authorization and nonrepudiation are important to ensure that commands areauthorized,executedasspecified,andreportedbackaccurately.

Availability is lesscriticalsinceDERsystemsusuallyoperateautonomouslyandcanbepresettoperformtheDERfunctions.

ConfidentialityisonlyimportantforselectDERfunctionswhereeitherprivacyorsensitivedataisbeingexchanged,suchaspersonalinformationorcontractualdata.ForresidentialDERsystems,itisnotexpectedthatmuchconfidentialdatawillbeexchanged.

TheresultsofthisanalysisledtothecybersecurityrecommendationsenumeratedinSection6.


6 CYBER SECURITY RECOMMENDATIONS FOR CSI RD&D Solicitation #4 DER COMMUNICATION MODULES

6.1 Cyber Security Recommendation Categories

This section provides the cybersecurity recommendations for residential inverterbasedDERcommunications as suggested by the CSI RD & D Solicitation #4 working group.Recommendationsarecapturedinthesectionsbelow.Recommendationsarecategorizedusingthefollowingtaxonomy:

PhysicalSecurity AccessControl

- Authentication- Authorization- Registration

Integrity- DataIntegrity- HardwareIntegrity

Confidentiality Cryptography/KeyManagement Policy

- Audit- Logging

ThesegeneralrecommendationsareintendedtoaddresscybersecurityimplicationsrelatedtoDER systems that include a CSI RD&D Solicitation #4 DER communicationsmodule. Theserecommendations are guidelines meant to work in tandem with applicable standards andindustry best practices to strengthen security for residential inverterbased DERcommunications. As illustrated in Figure 1, Section 6.2 outlines recommendations forcommunication interface A and Section 6.3 outlines recommendations for communicationinterfaceB.

ItisrecognizedthatDERcybersecuritycanalsobeenhancedthroughengineeringstrategiesinthedesignandimplementationofDERsystems.GuidelinesontheseengineeringstrategiescanbefoundinIEC/TR6235112ResilienceandSecurityRecommendationsforPowerSystemswithDistributedEnergyResources(DER)CyberPhysicalSystems(tobepublishedsoon).

6.2 Interface A: CSI RD&D Solicitation #4 DER Cyber Security Recommendations

Communication interfaceA,asdepicted inFigure1, istheoutward,wideareanetworkfacinginterfaceoftheCSIRD&DSolicitation#4DERcommunicationsmodule. It isthis interfacethatutility, aggregator, and vendor communicationswill directly communicate via some routablecontrolprotocol,suchasIE

cyber security requirements and recommendations for...

Documents