Cybersecurity & Virtual Power Plants

Virtual power plants  VPPs) are an aggregation of either utility-held or behind-the-meter distributed energy resources (DERs) through a distributed energy resource management system (DERMS). Distributed energy resources (DERs) is a growing market, in spite of cultural pressures, which includes solar, battery energy storage systems (BESS), electric vehicles and EVSE chargers, and smart home devices like thermostats and water heaters.

Through the use of a DERMS, utilities can leverage these DER assets to either redistribute communally generated resources like solar or ambient stored battery energy, or to shift load through aggregate conservation demand flexibility programs like demand response or EV charging, which shifts loads to off-peak hours of demand. Virtual power plants represent both of these strategies, enhancing grid resiliency while defraying high operational costs and deferring expensive infrastructure upgrades. 

The Necessity to Secure Utilities

Because DERs can be connected directly to the utility’s power grid or isolated via stand-alone applications through DERMS, they both require different approaches and applications of cybersecurity; protecting these virtual assets is critical to the security of the grid. Grid security represents both a physical and virtual target to nation state actors, organized crime, and even hacktivists. While motives vary by cyber-threat, the outcome remains the same: to undermine critical infrastructure to compromise the safety and security of the state. Securing electric grids virtually is vital to national security and considerable efforts must be taken to protect it.

Starting Points for Virtual Power Plant Cybersecurity

Protecting and securing any system starts with understanding the components involved in providing/producing the product and/or service. In our case, Virtual Peaker provides a cloud-based software (DERMS) to utility companies that assist in managing and optimizing DERs for the purposes of grid stability through demand control. As such, virtual power plants create numerous attack surfaces including DERs and DERMS.

According to CompTia Security+, the attack surface is the “total sum of all potential entry points and vulnerabilities in a system or network that an attacker could exploit. It represents the scope of potential weaknesses that could be used to compromise a system.” Entry points in a system or network include

• User devices
• Misconfigured cloud services
• User emails (used for phishing)
• Application programming interfaces (APIs)
• User credentials for web applications
• Weak firewalls
• Virtual private networks (VPNs)
• Smart devices
• Remote access points
• Social media

These entry point examples can be grouped in one of 5 categories:

• Network & Infrastructure
• Web Application & Software
• Human & Social Engineering
• Cloud Environment
• Interment of Things (IOT) & Operational Technology (OT)

Each category has its own best practices and standards to secure. For the utilities industry, government regulations such as NERC CIP, CISA, and NIST must be included when securing entry points.

A Few Key Components of the Virtual Power Plant Landscape

Cybersecurity is about hardening systems to reduce the attack surface and prevent data breaches. As it relates utilities, some systems that make-up the attack surface include:

• DERs themselves
• DERMS
• DER vendors/owners/operators and/or aggregators
• DER to utility communication networks
  • Defined as a specific set of communications between the DER and the electric utility
• Utility protection controls (trip settings for the protection devices and/or the coordination management system)
• DER communications
• Defined as a broad set of communications which can occur:
  • between the DERs themselves (p2p)
  • between the DER and the DERMS (DER to cloud platform)
  • Internal DER communication
  • DERs to local controller/gateways (an onsite system that communicates w/ the utility)
  • DER internal communications (local)

While critical to the realization of a virtual power plant, distributed energy resources increase the attack surface as it relates to grid security. The attack surface is the total set of potential entry points or vulnerabilities on a system or network that an attacker could exploit. Since a data endpoint repository is an endpoint, the attack surface includes all possible ways an attacker could try to access or compromise the distributed energy resource (DER), such as its network connections, software interfaces, user accounts, and even the supply chain.

Targeted Attack Strategies Against the VPP

There are numerous attack vectors and strategies that bad faith actors use to exploit a systems cybersecurity. Specific targets when attacking virtual power plants include:

• Firmware provided by DER stakeholders (like DER vendors, owners, operators, or aggregators)
•  DERMS
• DER network communications
• Utility protection controls

Firmware is the software that is embedded in the hardware. DER and DERMS manufacturers and providers can be misconfigured during factory shipment, which leads to supply chain attacks from the utility’s standpoint. The misconfigured DER can cause issues when executing scheduled updates (patches). The errored patches can lead to abnormal grid operations.

Misconfigured DERs that are a part of DER-to-utility communication networks or DER aggregator systems (or any DER stakeholders) can change “ride through” settings which controls how the DER adjusts itself during grid disruptions. Ride through settings are principally trip settings. The DER-to-utility communication network is the data/information that is sent between the utility and the DER. It establishes the link that allows the utility to monitor, control, and integrate DERs into the grid.

If an attack wanted to cause disruptions, they would target the DER-to-utility communication network. For example, one mode of attack could involve the attacker maliciously instituting changes to the over/undervoltage ride through (trip) settings to cause more and more DER devices to disconnect from the grid to break the DER grid integration. The ability for the DERs to “ride through” abnormal grid activity helps balance the grid. Therefore, if enough DERs disconnect, the grid’s resiliency becomes jeopardized. This type of attack leads to grid destabilization and even blackouts in extreme cases.

Defending VPP’s in Layers

Since DER-to-utility communication networks enable DER grid integration, protecting the communication channel which allows the DER to “ride through” grid abnormality is vital to grid stability. Many protocols are used and layered to secure this communication channel. This layered approach to security is known as defense-in-depth.

Government protocols such as IEEE 2030.5 and industry protocol distributed network protocol 3 (DNP3), are some examples of the defense-in-depth technique for the utility industry. Additional policies defense-in-depth strategies for IT systems and security engineers includes

• DER-to-utility communication networks
• Supply chain security
• Continuous monitoring & Logging
• Role based Access control (RBAC)
• IAM
• Patch management

Each layer consists of the defense-in-depth strategy, which provides its own unique objective. For instance, consider the following policies and controls for protecting DER-to-utility communication networks:

Policy – Monitoring and Logging Policy

As the name implies, a monitoring and logging policy is designed to set guidelines and procedures for recording and measuring system events to ensure system safety and security, to find and provide alerts for any potential abnormalities, and ultimately better help with troubleshooting.

• Control – Threat Hunting Reporting (NIST DE.CM-4)
  • Activities
    • Actively searches for indicators of compromise (IoCs)
  • Objective
    • To communicate the discovery of threat hunting reporting to stakeholders with the intentions of enhancing defenses by updating Security Information and Event Management (SIEM) systems, improve alerting, and strengthen existing controls (NIST R.PT-1)
  • Application
    • CIP-015-1 requires the presence of internal network security monitoring

Policy – Configuration Management Policy

This policy was designed to ensure that updates and patches are tested and validated in a staged environment prior to moving to production. (NIST SP 800-82 Rev. 3)

• Control – Patch Management Control
  • Activities
    • Creating and maintaining scheduled updates to fix known system vulnerabilities
  • Objective
    • To identify and apply software and firmware updates to reduce known vulnerabilities for the purposes of enhancing the organization’s security posture

Conclusion: Cybersecurity & Virtual Power Plants

As technology continues to grow and evolve, new strategies and tactics will continue to be defined for years to come. Despite all the technological advances within the industry, defending cybersecurity systems within virtual power plants remains rooted in the core practices of a layered defense-in-depth approach, stringent identity and access management (IAM), proactive threat hunting and continuous monitoring, and robust supply chain security. These foundational elements are crucial to mitigating the sophisticated cyberattacks targeting DERs and virtual power plants.

About The Author

With time well spent as a business analyst, Lauren brings a unique blend of analytical rigor and strategic thinking to the cybersecurity realm. Her journey into IT started with a master’s degree in information systems followed by a Security+ certification which allowed her to make a career transition into cybersecurity. Beyond the digital landscape, they find balance and inspiration in exploring nature through hikes, fueled by a deep-seated passion for making the world—both online and offline—a safer place for all.

More About Lauren