The demand for public grid data to spur renewable energy development has raised a thorny question: Can utilities and regulators shield sensitive information from hackers while speeding up the transition to clean power?
The U.S. grid is undergoing a radical shift to digitization to accommodate millions of "smart" technologies spanning everything from rooftop solar panels to electric vehicle chargers. But cybersecurity experts are warning that the wave of accompanying data — including publicly available tools renewable developers use to find project sites — can also be abused by hackers looking for vulnerabilities in the grid.
"The challenge that we face nationwide is how to accelerate progress toward having clean energy and increased reliance on solar and wind — and do so at the same time that we do not give [Chinese President] Xi Jinping the keys to the kingdom," said Paul Stockton, former assistant secretary of Defense for homeland defense and author of a recent paper on distribution-level grid data.
Such information can come in a variety of forms and is often prepared by utility companies. In California, so-called integration capacity analysis maps show where the grid can accommodate new renewable energy sources and where upgrades may be needed. In Minnesota, similar records are known as hosting capacity analysis maps. Vermont has the GMP Solar Map, which shows available capacity on the grid. All can be used by solar developers to find the ideal spot for new projects.
"Access to grid data is highly useful for developers because it tells them where they can site solar projects without incurring extra charges from grid upgrades — which are needed if the distribution grid in that area already has a lot of solar on it and doesn’t have room for more," said Rosana Francescato, communications director for the California-based clean energy advocacy group Clean Coalition.
But security experts are warning that clean energy developers and nation-backed hackers are often after the same grid data.
Richard Mroz, senior adviser to grid security advocacy group Protect Our Power and former president of the New Jersey Board of Public Utilities, said that the battle over public information is not a new one, but the conflict between making data accessible and protecting public safety is a growing concern that state regulators are still figuring out.
"Before it was pretty straightforward: You had a power plant and a transmission line and a circuit that went down to your home’s wires, and there wasn’t much else there," said Mroz. "But now we’re talking about software, talking about equipment, talking about digital components, talking about the mapping of it all and about the architecture. It’s a different world, and the regulators haven’t caught up to it."
Mroz said that developers and policymakers need to "catch up" and create smart grid legislation that will address the issues around public grid data.
"It’s expanded tremendously, just because the nature of the technology expands exponentially, but also the pace at which it’s being deployed," Mroz said. "As a former regulator I can say this: Regulators don’t react real quickly to things."
This is particularly true for distribution utilities that don’t typically fall under federal cybersecurity oversight. These can include rural cooperatives and municipally owned power providers that already face a host of issues when it comes to protecting their networks from online threats.
A recent report by the National Association of Regulatory Utility Commissioners noted that distribution utilities are struggling with the notion that potentially millions of consumer-based devices will be linking up with the grid.
"The growing connectivity between the grid and customer devices increases cybersecurity vulnerabilities and broadens the threat landscape by expanding the number of potential entry points through which malicious cyberattacks can be launched," the report said.
Meanwhile, the Government Accountability Office warned that the increasing cyberthreats to distribution energy companies are not being adequately addressed by the federal government (Energywire, March 19).
The government watchdog said that the increasing digitalization and reliance on monitoring technologies and internet-facing consumer devices can open additional weak points that can be used to attack the grid. Additionally, the vulnerabilities "are compounded for distribution systems because the sheer size and dispersed nature of the systems present a large attack surface."
The report also said that while many state energy regulators are adding cybersecurity into their oversight responsibilities, such rules can vary widely. Some distribution utilities implement existing cybersecurity standards from federal entities such as those developed by the North American Electric Reliability Corp. and the Federal Energy Regulatory Commission, it said. But distribution utilities also must contend with resource and staff shortages that can make managing a cyber emergency difficult.
Manny Cancel, senior vice president at NERC and CEO of the Electricity Information Sharing and Analysis Center, said that the grid security overseer is exploring how best to extend "the criteria or the standards that apply to high-impact assets down the chain to medium and low."
"The extension, we think, is not a huge lift," Cancel said. "But that being said, the cost associated with doing that and the value still needs to be deliberated more closely, and I’m sure the industry will encourage us to do that."
Cancel said NERC does not want to "inhibit the use of renewable energy" but rather ensure new grid edge technology is secure as it’s being developed and added to the North American power networks.
"If you think about wind, solar, battery storage, the time to figure out cyber concerns is not after it’s been connected to load," Cancel said. "It’s beforehand. That’s where I think NERC will work more deliberately with our entities to sort of say, ‘What’s the right answer here?’
"I think the good news is that the answers exist," Cancel said.
Lessons from Ukraine attack
A 2016 study by the Energy Department’s Idaho National Laboratory warned that the lack of uniform standards for distribution systems, combined with increasing cyber vulnerabilities, means that an attack on the distribution grid could have cascading impacts on larger transmission substations, affecting more people.
But while gaps in distribution utilities’ defenses have been getting more attention recently, the risks posed by reams of new smart data are still not fully understood, experts say. Finding holes in a company’s network is one thing, but using those vulnerabilities in a way that can impact the grid is another challenge altogether, they say. But once information is posted publicly online, it’s nearly impossible to remove it.
Stockton pointed to the 2015 Russia-linked cyberattack against Ukraine’s power grid as an example. The hacking group dubbed "Sandworm" attacked three utilities and shut the power down for more than 250,000 people in the first known instance of a cyberattack causing a temporary blackout.
But one of Sandworm’s first moves, Stockton noted, was performing reconnaissance to learn how to later manipulate the industrial control systems and shut off the power in the middle of winter.
"As in the case of Russia’s attack on Ukraine’s distribution system, adversaries will seek to map and then selectively attack infrastructure based on where the most critical infrastructure is, so they can attempt to target particularly important grid customers," Stockton said.
Stockton said that the main risks come from mapping out data on peak electricity loads and related information, which adversaries could use to attack distribution systems when grid operators have the least room for error.
However, Francescato of the Clean Coalition pointed out that nearly anyone can "infer when the peak load will be in, say California, by looking at weather patterns."
"Peak load days/times here are at the hottest time of the year," Francescato said.
Stockton countered that nation-backed hackers could leverage such data to time their attacks to maximize potential power disruptions.
"To help fight climate change, it’s absolutely vital that we increase our reliance on variable generation, above all solar and wind, and ensure that developers, including distributed energy resources, have the data that they need to design and advance their project," Stockton said. "Sharing data is absolutely vital to this progress. The question is how do we share that data in a way that’s secure?"
States take action
Several state energy regulators have been grappling with those questions.
In October, the Minnesota Public Utilities Commission released a request for comments on the security issues surrounding public distribution grid data. The state asked for input related to which frameworks should be used to protect that data and who should get access to it. Initial comments were due by April 30, and replies are due May 10.
So far, the major energy utilities in Minnesota — Xcel Energy Inc., Minnesota Power, the Dakota Electric Association and Otter Tail Power Co. — have all warned that publicizing certain types of grid data could pose a threat to energy security and customer privacy.
"Some other states have taken steps to require the provision of distribution grid information to support growing [distributed energy resources] and the development of DER markets," Xcel wrote. "However, this has largely been done without full consideration of security issues, or when the risks of public disclosure of the data may not have been well known."
Dakota Electric warned that the location and type of distribution system components, if published, could pose a risk to hospitals, banks and other critical sites.
"Using this distribution system connectivity data, one could even sever the electrical supply to large areas of the system, including entire cities," Dakota wrote.
Meanwhile, solar developers Impact Power Solutions, Nokomis Energy, Novel Energy Solutions LLC and United States Solar Corp. filed a joint letter April 30 saying that "open access to grid data is a key prerequisite for the orderly planning and development of distribution-connected [distributed energy resources]." Minnesota shouldn’t construct "arbitrary and unnecessary barriers," the companies said, and should instead find "the actual level of risk associated with the concern."
The solar developers said lack of peak-load and load-shape data would make it "difficult for DER developers to analyze and identify grid locations where solar-plus-storage projects could be economically feasible."
Minnesota Power said that "there is not currently an approved model that is sufficient to address" grid security concerns with releasing detailed distribution-level data. The utility company said that some states, such as California and New York, are "the furthest along," but "a set of concrete standards for security on the distribution system has yet to be developed."
In 2018, the confidentiality of grid data came up in a rare public debate in California, where renewable energy developers clashed with utilities after power providers removed key data points from a public grid map over security concerns.
The move sparked outrage among clean energy advocates, Greentech Media reported at the time, and the public utility commission stepped in to require utilities to reopen the maps.
Stockton and other experts have advocated for a "risk-based framework" to determine which data could safely be made public, which should be kept protected and which should be shared securely on a limited basis.
"Many states have had requirements for the public display of distribution system data that predates the rise of much more serious Chinese and Russian threats to distribution systems," Stockton said. "We need to strengthen the secure sharing of data in ways that reflect the increasing severity of the threat, and the likelihood that these threats will continue to intensify in the years to come."
U.S. intelligence officials agree: Their latest Annual Threat Assessment report lists that Russia and China can cause "localized, temporary disruptions" to critical infrastructure. Russia breaching U.S. critical infrastructure networks "improves — and in some cases can demonstrate — its ability to damage infrastructure during a crisis," the report said.
The Biden administration has taken notice, planning a series of high-level actions in the coming weeks addressing grid security (Energywire, April 21).
"The United States faces a well-documented and increasing cyber threat from malicious actors seeking to disrupt the electricity Americans rely on to power our homes and businesses," Energy Secretary Jennifer Granholm said in a statement last month. "It’s up to both government and industry to prevent possible harms — that’s why we’re working together to take these decisive measures so Americans can rely on a resilient, secure and clean energy system."