Platform
Grid-Edge DERMS
Customer Engagement
Demand Forecasting
BYOD
Customer Engagement
Demand Response
EV Charging
Incentive Processing
Program Design
Program Management Automation
Flexible Dispatch
Virtual Power Plants
API Integrations
C&I
According to the FBI’s 2024 Internet Crime Report, cyberattacks cost $16 billion in losses last year, a 33% increase from 2023; analysts project global losses to reach $15.63 trillion in losses by 2029. Cybercrime represents a rising geopolitical threat against the aging U.S. electric grid, which saw cyberattacks jump by 70% in 2024, as compared to 2023. Utility cybersecurity provides a target for threat actors to compromise for various gains, from ransom to destabilizing U.S. energy infrastructure. Cyberattacks can come from anywhere, from remotely located threat vectors to employees (insider threats), who account for 68% of data breaches every year. As such, the role-based access control strategies required of utilities by NERC-CIPs remain vital in enhancing utility cybersecurity measures by tightly controlling access based on user roles.
Cybersecurity & the U.S. Electric Grid
Electric utilities have numerous cyberattack vulnerabilities that threat actors can exploit. Possible attack vectors include:
- Industrial control systems – Threat actors have targeted industrial control systems—the networking protocols that allow grid operators to remotely control industrial systems—particularly as this relates to outdated, legacy load control systems that may not be updated to current protocols.
- Distributed energy resources (DERs) – Distributed energy resources (DERs) include solar, battery energy storage systems (BESS), electric vehicles, EVSE chargers, and smart home devices like thermostats and water heaters. These DER assets are aggregated through a distributed energy resource management system (DERMS) for use in demand flexibility programs like virtual power plants (VPPs), demand response, and EV charging. Threat actors have used these vectors—personal DER assets—to create botnets, which allow them to launch coordinated attacks to disrupt distribution systems.
- Global positioning systems (GPS) – Because the grid relies on the Internet of Things (IoT), threat actors can compromise GPS timing, which upends real-time data and threatens generation, transmission, and distribution functions.
What Are Roles-Based Access Controls (RBAC) Roles & Why Do They Matter?
Altogether, these threats pose a serious and broad threat to utility cybersecurity. Role-based access controls (RBACs) are informed by the Principle of Least Permission (PoLP), which ensures that employees, applications (APIs), and/or systems have the minimum permissions required to complete job-affiliated tasks. RBACs assist in mitigating the exploitation of attack vectors on the electric grid by:
- Segmenting permissions based solely on job responsibilities (roles); for instance, a transmission operator cannot access distribution feeder controls, and a DER device only has permission to send telemetry, not control other devices, i.e., the Principle of Least Privilege
- Minimizing an attacker’s ability to make lateral movements within systems and access to high-value assets
- Providing auditing insights into user actions, which helps inform the root cause analysis (RCA)
To clarify, role-based access control (RBAC) is the ability to define areas of access based on a user’s job function. It is how the cybersecurity professional controls permission assignment at the group level as opposed to a user level, for access management. Assigning permissions directly to a user can become difficult to manage as it relates to account creation, updates, and revocations.
RBAC is the unified framework that resulted from the systematic collaboration and alignment of human resources partners and system administrators, which translates job functions into automated, precise, and secure system permissions
Types of User Roles
Division of access is crucial when allotting user role assignments. As such, there are several permission types available, these include:
- Read permissions – this makes the data available for the user to view the data
- Write permissions – As the name implies, this permission allows the user to update/change the data.
Beyond the baseline of Read and Write, permissions are commonly combined to create more functional security roles. These composite permissions can be enforced at multiple layers:
- Object-Level: Applying Read/Write to an entire resource (e.g., a specific database table).
- Field-Level (or Record-Level): Defining permissions within an object (e.g., a user can Read the “Salary” field but only Write to the “Address” field).
- Hierarchical-Level: Granting rights that cascade down through a structure (e.g., Write access to a top-level Container implicitly grants Write access to all Files within it).
These composite permissions can help system administrators be more flexible as it relates to role creation. This is where global permissions come into play.
- Global permissions provide the permission across an entire system, platform, or organizational environment, rather than being restricted to specific resources, individual users, or small groups (see below).
It’s also worth noting that in some cases, these roles are stackable. Stackable roles allow for additional access. Essentially, user identity can be assigned multiple distinct role profiles concurrently, with the resulting access privileges being the union of all permissions granted by each assigned role. Stackable roles are necessary in circumstances where complex job functions exist. While stackable roles do provide flexibility, they can cause unintentional access elevation. Therefore, system administrators need to be mindful of how stackable roles are combined.
Now, let’s break down the individual types of user roles that may exist within a DERMS platform.
Team Management Roles
For compliance officers, defining and enforcing team management roles and responsibilities within the virtual power plant (VPP) and distributed energy resource management system (DERMS) environment is a critical component of regulatory adherence and risk mitigation. Since industry standards for these platforms are still emerging, and platforms vary significantly (e.g., Grid DERMS versus Grid-Edge DERMS), organizations must precisely implement role-based access control (RBAC) to enforce Separation of Duties (SoD) and meet mandates like those from NERC. This ensures that only authorized personnel can initiate high-impact actions (like dispatch) or access sensitive operational data. Core functioning roles that illustrate this principle include:
- VPP Operator/Trader: Focused on real-time market interaction and system dispatch, possessing permissions to view real-time data and issue direct control signals to the DER fleet.
- Asset Manager / Analyst: Focused purely on performance review and reporting, granted only read-only access to historical data and forecasts, with no permissions for physical control or dispatch.
- VPP Administrator (Admin): Focused on overall system governance and user management, possessing full control over user accounts, adding/removing DER assets, and managing market configurations, representing the highest level of privilege.
This strict segmentation, necessary due to the diverse nature of DERMS platforms—from those managing utility-scale assets (Grid DERMS) to those managing high volumes of customer-owned devices (Grid-Edge DERMS)—is essential to prevent unauthorized access and protect critical infrastructure. Essentially, these roles help minimize the attack surface and prevent privilege escalation from maliciously impacting high-priority event management or device data.
Customer Engagement Roles
The success of scalable customer demand flexibility programs and virtual power plants (VPPs) relies heavily on digital customer engagement, which simultaneously introduces a key utility cybersecurity concern regarding the security of direct customer interactions and sensitive data. To address this, utilities leverage dedicated customer engagement roles that are crucial for mitigating risk by siloing access to customer-facing systems (like portals and messaging centers), ensuring that only personnel with defined permissions can handle sensitive information and management tasks.
– Lauren Corley, IT Systems & Security Engineer, Virtual Peaker
This strict implementation of the Principle of Least Privilege protects the overall customer ecosystem and maintains the integrity of the critical control functions handled by the Grid-Edge DERMS. Examples of these specialized roles include:
- Incentive Processing Personnel: Granted access to verify participation and manage payment/credit systems.
- Marketing and Outreach Managers: Authorized to utilize customer segmentation data to execute targeted campaigns and manage enrollment.
- Enrollment Specialists: Granted specific permissions to verify and onboard new customers, distributed energy resources (DERs).
Overall, RBAC for customer engagement ensures that utility scaling efforts are matched by a robust, segmented security strategy, making customer interaction both efficient and safe
Forecasting Roles
Forecasting software is a monetizing functionality for virtual power plant (VPP) and utility operations, because it helps operators plan and manage potential load, maximize revenue, and ensure grid resiliency. Accurate forecasts, derived from real-time and historical data streams, influence rate structures, enable strategic energy arbitrage to ameliorate peak market costs, and ensure supply and demand are in equilibrium. However, the proprietary nature of the prediction models and the market-sensitive data presents a potential utility cybersecurity threat.
Therefore, RBAC is strictly applied to segment forecasting personnel and protect this intellectual property. User roles are carefully designed to separate the duties of creation, analysis, and execution:
- Forecasting Analyst Roles are typically granted Read-Only access to crucial data streams (weather, market prices) and the VPP fleet data, and Read/Write access solely within the secure Model Training Environment.
- Data Scientist Roles maintain control over model integrity, having access to version control systems but strictly limited access to the live operational environment.
- Market Analyst/Optimization Specialist Roles are restricted to viewing approved, validated forecasts and have Read/Write access only within the bidding and optimization engines.
This strict segregation ensures that unauthorized access cannot lead to the theft of proprietary models or the manipulation of forecasts, which could destabilize the grid or distort market functions.
Conclusion: Role-Based Access Control: User Roles & Utility Cybersecurity
With so many potential vulnerabilities across Industrial Control Systems (ICS) and connected distributed energy resources (DERs), utility cybersecurity has taken on an entirely new systemic importance. Cyberattacks are increasingly sophisticated, targeting both traditional IT networks and operational technology (OT) to compromise essential infrastructure. As such, utility cybersecurity transcends merely protecting customer data; it is fundamentally about safeguarding essential national infrastructure and preserving grid stability.
Implementing and enforcing robust role-based access control (RBAC) is therefore not just an administrative step, but a critical, foundational tool for utility cybersecurity efforts in mitigating both external exploitation and the ever-present threat of internal misuse or negligence.
Subscribe & Learn More About the Evolving Energy Landscape
