The Biden administration’s push to improve U.S. grid cybersecurity defenses is running up against a patchwork of state-level regulations that could derail federal efforts to protect fast-growing renewable energy resources from hackers.
The departments of Homeland Security and Commerce last month released "best practices" aimed at boosting critical infrastructure security, following up on a presidential memo in July that called for voluntary goal posts to combat "woefully insufficient" cyber oversight (Energywire, July 29).
But experts warn that as distributed resources like solar and wind are added to the U.S. power grid, the increasing connectivity among electricity systems provides new opportunities for hackers to sow chaos in energy networks that are beyond the reach of the White House but fall under the jurisdiction of state rules.
"The Biden administration has done a pretty good job at bringing focus to all these issues," said Richard Mroz, senior adviser to grid security advocacy group Protect Our Power and former president of the New Jersey Board of Public Utilities. "The challenge, however, with the electric grid on cybersecurity issues falls to the dichotomy of the jurisdiction in the United States over the [bulk] power system versus the distribution system."
Grid cybersecurity regulations from the Federal Energy Regulatory Commission and the North American Electric Reliability Corp. don’t always apply to smaller generators like wind turbines or rooftop solar panels. But such technologies are routinely left more exposed to hacking threats than the closely guarded, centralized power plants and transmission lines that make up the bulk power grid.
"We’re seeing a tremendous amount of change with very, very little regulatory oversight for these technologies," said Tobias Whitney, a vice president at cybersecurity firm Fortress Information Security.
Many distributed resources are "still relatively new, so some don’t have to follow the cybersecurity standards set by NERC," said Whitney, a former senior manager at the nonprofit grid overseer.
The stakes are high: U.S. intelligence officials have warned that state-backed hackers could cause temporary disruptions of critical infrastructure networks (Energywire, April 14). Many utilities have scant resources for cyber investments, and varying state rules can pose challenges for larger companies.
"There’s normally 50 different flavors across state. Even within the states, given the different regulatory jurisdictions, it’s very different," said Kevin Jones, director of Vermont Law School’s Institute for Energy and the Environment.
However, some state utility regulators say they’ve felt left out of some of President Biden’s recent moves, including a national security memo on improving cybersecurity for industrial control systems like those that underpin the grid. The National Association of Regulatory Utility Commissioners has called for more dialogue between the federal government and state authorities to fully protect the grid.
Lynn Costantini, deputy director at NARUC, said she’s encouraged by the "momentum" on cybersecurity at the White House, but noted that the group has not heard from the administration.
"My disappointment was in the definition of public-private partnerships: To the administration, it sounded to me like the ‘public’ part of the partnerships was the federal government," Costantini said.
"I think they are missing a tremendous opportunity to the other side of the government, and that is state government."
Dianne Solomon, critical infrastructure chair at NARUC, said that the states provide much of the cyberthreat data and defensive measures distributed through information sharing and analysis centers, or ISACs. "So if you’re looking to connect the dots, and you’re leaving one of the main dots off the map, I see that as problematic," Solomon said.
State utility regulators typically sign off on any expenses that regulated utilities pass on to electricity customers, meaning they play a key role in cybersecurity spending.
"I think one of the main issues is how do you pay for it," Solomon said. "These are the things we deal with on a regular basis, and I think that if you leave us out of those conversations, you may come up with solutions — but then how you get them enacted could be a problem if you don’t have that regulator or those states at the table."
Asked about NARUC’s concerns, a National Security Council official pointed out that the group participates in the Energy Sector Government Coordinating Council, which includes the NSC as well as the Office of the Director of National Intelligence, among other federal, state and local representatives.
The official also cited a "cooperative agreement" with the Energy Department that has led to "DOE-funded cybersecurity training for over 400 public utility commissioners, commission staff and other state energy officials."
Of the Biden memo, the official said that the goals were developed with "as much interagency and industry input as practical for the initial timeline using existing coordinating bodies," crediting state regulators and energy offices as a "critical voice."
‘A mixed bag’
Solomon said that new technologies like solar or wind are "a major issue for our organization and for utility regulators to address."
As distributed energy resources rapidly advance, the concern over the cybersecurity of those systems "has risen to the level of C-suite offices," Solomon added.
Unlike large power plants and high-voltage transmission lines, distribution-level power networks that deliver electricity to homes and businesses are overseen at the state level. The ways states and individual utilities handle cybersecurity for these systems — and the small-scale renewable resources connected to them — can vary widely.
"A distribution system when you’re talking in New York City for a huge company like ConEd is going to be very different from the distribution system in in a rural area that might be preferred by a cooperative. So it’s really a mixed bag," said Vermont Law’s Jones, who was the project lead on a 2019 paper on distribution-level cybersecurity.
Jones said that one major roadblock in cybersecurity investments is the cost. A rate case may get approved to add millions of dollars for cybersecurity investments, but revenue may be taken away from someplace else.
"Whether it’s for preventing cybersecurity or hardening from severe weather, the problem is that those investments have cost implications and legal implications in the entity that’s really overseeing that is an acceptable level of rates ultimately goes back to the state," Jones said. "The public power entity’s goal is providing service to get an affordable price, and they don’t worry about investment return on equity for their shareholders."
That means the cyber readiness of utilities with distribution systems can vary widely, depending on the size of the company and its ability to cover costs in the event of an cyberattack.
Focus on wind
Wind energy, for example, is one of the fastest-growing additions to the distribution grid, where installations don’t typically face cybersecurity scrutiny.
"Smaller applications, distributed wind turbines, they may be more vulnerable because they don’t have to meet such a stringent cybersecurity standard," said Jake Gentle, senior power systems engineer for DOE’s Idaho National Laboratory.
INL said in a recent guidebook that distributed wind systems — small-scale projects based near homes or businesses that use their electricity — have the potential to be added to nearly half of all U.S. buildings.
A cyberattack on such networks may not cause any blackouts, but experts say hackers could still pose a threat to rural communities.
"The impact to the bulk electric system or our national electric grid is minuscule. It’s basically zero," said Gentle. "From a local perspective — generated locally, consumed locally — that impact could be very high."
INL researchers have called for further development of cybersecurity standards for distributed systems.
One of the goals of the report was to highlight existing best practices, said Gentle. Professional organizations like the Institute of Electrical and Electronics Engineers have a slew of cyber recommendations for distributed technologies, some of which can be applied to wind.
"We’re not just starting from scratch," said Megan Culler, a power engineer specializing in distributed energy resources, cybersecurity and resilience at INL. "Even though the standards and the guidelines exist, the motivation is not necessarily there. So we want to highlight the reason we need the security even if you’re not required to."
Still, securing distributed energy systems writ large is far too complicated for overarching standards to meet the challenge, INL said.
"No single cybersecurity standard can address all security requirements, security controls, resilience strategies, and technologies particularly for such a complex domain as DER," said INL.
Cyberattacks pose a major problem for renewable energy, and the increasingly connected systems mean that one unsecure network can quickly become the source of a major attack, experts say.
“People will say to me, ‘Well, solar … networks are not that complicated; what kind of damage can you really cause?’” said Leo Simonovich, head of industrial cybersecurity at Siemens Energy. “But we’ve seen examples where there were solar farms where it started with one turbine, and then we turn around and then in a few hours, six solar farms were impacted by a single piece of malware.”