{Introduction of "Securing Distributed Energy Resource Integration," 2021 M.S. Thesis by Megan Culler}
The United States is experiencing an energy revolution. Due to aging infrastructure, policy changes driven by climate change, shifting economics for new technologies, and a recognized need for long-term sustainability, there is a push towards using clean or carbon-neutral energy sources. On top of that, growing electrification and rising load continue to put a strain on existing transmission and distribution infrastructure. While the energy landscape of the future will require changes and technological advances across the industry, and may take one of many forms, it is clear that distributed energy resources (DER), including solar, wind, and storage, will play a major role.
The energy industry is facing another type of revolutionary change on top of the changes in power production, distribution, and consumption. As new technologies are introduced to make grids smarter, more efficient, and more sustainable, increased control, monitoring, and communication across the power grid is required. However, each new meter, controller, and electronic safety device is a potential target for a cyber adversary. Historically, cybersecurity was not a concern for power systems since they were largely airgapped from any publicly accessible networks. That is no longer the case, and even if appropriate protections are put in place to isolate industrial networks from commercial networks, a motivated and well-resourced adversary may find ways to access sensitive networks or devices that provide critical services.
While electric energy infrastructure may not be the first high-value target people think about for cyberattacks, there has been a rise in cyberattacks targeting industrial control systems (ICS) and a corresponding rise in attacks targeting electric energy systems over the last several years. Dragos Inc. reported in 2020 that threats to ICS are appearing at a rate three times that at which they are going dormant. The energy sector is a high-value target for cyber adversaries because of the immediate and wide-reaching consequences that a successful attack could have. Large-scale blackouts have consequences not just for our domestic lives, but also for vital health and financial systems. The importance of protecting the power grid has also been identified at a federal policy level. There are 16 critical infrastructure sectors, of which energy is one. Presidential Policy Directive 21, which establishes national policy on critical infrastructure security and resilience, identifies the energy sector as uniquely significant since it provides an ``enabling function" across all critical infrastructure sectors.
There are a few of attacks on the energy sector worth noting. In December 2015, Russian hackers executed an attack on a Ukrainian distribution company, disconnecting seven substations after infiltrating the supervisory control and data acquisition (SCADA) network and causing blackouts for over 200,000 customers. The outages lasted only a few hours because operators were able to restore a limited capability manual backup mode, but they were noteworthy as the first publicly acknowledged cyberattacks to result in power outages. Attacks occurred again 2016, this time with more advanced, targeted malware, shutting off approximately 20\% of Kiev's power.
Shortly following these attacks was another that raised concern in the industry, the Triton (or Trisis) malware. This malware was targeted to interfere with the function of Triconex controllers, which are mostly used in safety instrumented systems. This malware was particularly noteworthy because it targeted safety systems, making it clear that the intended outcome was physical breaches of safety. While the particular device targeted is mostly used in the oil and gas sector, similar devices are used widely across the electric energy industry. Accenture and Dragos have not named an attacker for this case, but propose that the advanced capabilities used suggest a nation-state attacker. Over a year after the attack, FireEye Intelligence released evidence that the source of the attack was a Russian government-owned technical research institution.
While operation focused attacks may continue to be the most impactful threat, ransomware attacks are rising in frequency and beginning to target industrial sectors. Traditionally, ransomware targets enterprise systems, but attackers have learned that cyber-physical processes are good targets too. Particularly in the electric energy industry, there is a need for constant availability of systems. If ransomware can shut down resources critical for operation, companies may be more likely to pay the ransom immediately rather than try to remove the ransomware on their own. The rise of ransomware targeting ICS has been noted by multiple sources. In fact, 33% of ICS companies surveyed by Kaspersky in 2018 indicated that ransomware was one of the top three incidents they were concerned about for their industrial control networks, and 30% indicated that ransomware was a cause of ICS cybersecurity events that they experienced in the previous twelve months. In 2019, a ransomware attack on a natural gas compression facility forced operators to shut down operations for two days. The details of ransomware variant were not made public, but Dragos learned that it was likely the Ryuk ransomware, a variant that was originally tied to the North Korean Lazarus Group, but is now believed to be from a cybercriminal group.
This attack started with a spearphishing attack that allowed the adversaries initial access into the system. This is a common starting point for many attacks, and it points to the need for continued employee cybersecurity training. Although the facility could still operate, there was a lack of visibility into real-time and historical data, which made continued operation unsafe. This fact raises a critical consideration: Cyberattacks do not necessarily have to directly impact key processes in order to indirectly shut those processes down.
Finally, and perhaps most noteworthy for this thesis, a cyberattack affecting wind and solar plants in the U.S. occurred in 2019. A vulnerability in the network firewalls was exploited to force the devices to reboot, causing communication outages in five minute periods over a total of twelve hours. This attack did not cause any power outages or stop generation at the DER sites, but it did block visibility into the system and interrupt the ability to make operational changes. Notably, it is not believed that the unknown hackers targeted the energy sector, and they may not have even known what devices they were attacking. This event underscores the vulnerability of the grid to a wide range of attacks, not just nation-state actors, advanced persistent threats (APTs), or financially motivated cybercriminals. If this attack had targeted an entity making frequent active operational decisions, the consequences could have been more severe.
Within the landscape of growing cybersecurity threats to the electric energy industry, the growth of DER presents certain challenges that have not been well addressed. By their nature, DER are distributed, meaning that individual devices may be separated geographically, and at the least, the devices are not concentrated in a single center the way a traditional power plant is. To manage and monitor these distributed devices requires increased communication, and particularly calls for increased remote communication capabilities. This need is further increased by the fact that many DER may be owned by consumers or third-party aggregators, requiring more coordination on both ends to successfully integrate DER. Remote communication can be especially vulnerable to cyberattacks.
DER can also serve a wider variety of functions than most assets in the power system. Rather than being limited by rotational mechanics, most DER are inverter based, meaning they can ramp power up and down very rapidly, and control active and reactive power separately, which makes them very flexible. However, if these increased capabilities are maliciously used, the benefits they provide to connected grids can quickly become big risk factors. Due to the new and rapid technology development of DER and the risks described above, there is a strong need to evaluate cybersecurity risks and provide proactive prevention, detection, and mitigation solutions.
The rising use of DER presents unique challenges to ensure that power grids are protected from cyberattacks. Cardenas et al. suggest that DER penetration is not yet high enough to pose a significant concern, but if penetration continues to grow, the risks will need to be addressed. It is critical that we address the cybersecurity risks of DER before they are so widely deployed that the cybersecurity risks proposed pose significant danger. Proactive research in DER cybersecurity is the only way we can develop the technology, standards, and policies required to ensure that power and energy infrastructure is well protected.
In this thesis, network and cyber-physical security for DER are analyzed in two ways. In the first part of the thesis, we discuss the communication and interoperability requirements for generic DER and how they can be adversarially manipulated. The focus is on these cyber-physical interactions, as they are unique for DER and require novel cybersecurity solutions. A defense mechanism is proposed to stop these kinds of attacks before they occur by inspecting incoming commands to the DER and evaluating their safety given the current modes active on the device and the current system measurements. In the second part of the thesis, we focus on storage devices as DER. Storage devices by nature can inject and absorb power, which makes them more interesting to evaluate. Grid stability impacts, battery hardware impacts, and economic impacts of cyberattacks on grid-scale storage are presented. Finally, we present a case study of a real storage device in a field-tested setup. A security analysis is performed on the communications and command interface, and security properties that make the device more robust against attacks are presented.
Although the need for cybersecurity for DER is growing, most research in the field addresses potential attacks based on common network configurations and DER capabilities. This thesis augments previous work by providing a detailed analysis of the vulnerabilities of the IEEE 1547 standard rather than generic functionalities, and by detailing specific impacts of cyberattacks on DER across grid impact, device impact, and economic impact categories. Novel work presented here also shows the feasibility of attacks and the benefits from adding security features to communications protocols. Related work has been done with hardware-in-the-loop simulations, but this work studies cybersecurity on fully deployed hardware systems. While there has been work in the broader areas of attack detection and of deep packet inspection, this work also provides a novel tool to detect attacks specific to DER capabilities.