Conference PaperPDF Available

Cyber Security Assessment of Distributed Energy Resources

Abstract and Figures

New distributed energy resource (DER) interconnection standards require communications and interoperability to provide grid operators greater flexibility for delivering voltage and frequency support. These communication channels are designed to allow utilities, aggregators, and other grid operators the ability to enable and configure various grid-support functions. However, these capabilities expand the power system cyber security attack surface and pose a significant risk to the resilience of the electric grid if controlled in aggregate. To advise the solar industry, grid operators, and government of the current risks and provide evidence-based recommendations to the community, Sandia performed cyber security assessments of a communications-enabled PV inverter and remote grid-monitoring gateway. The team found several well-designed security features but also some weaknesses. Based on these findings, recommendations are provided to improve the security features of DER devices. Index Terms — cyber security, distributed energy resources, PV inverters, control network security.
Content may be subject to copyright.
Cyber Security Assessment of Distributed Energy Resources
Cedric Carter, Ifeoma Onunkwo, Patricia Cordeiro, Jay Johnson
Sandia National Laboratories, Albuquerque, New Mexico, 87185, USA
Abstract New distributed energy resource (DER)
interconnection standards require communications and
interoperability to provide grid operators greater
flexibility for delivering voltage and frequency support.
These communication channels are designed to allow
utilities, aggregators, and other grid operators the ability
to enable and configure various grid-support functions.
However, these capabilities expand the power system cyber
security attack surface and pose a significant risk to the
resilience of the electric grid if controlled in aggregate. To
advise the solar industry, grid operators, and government
of the current risks and provide evidence-based
recommendations to the community, Sandia performed
cyber security assessments of a communications-enabled
PV inverter and remote grid-monitoring gateway. The
team found several well-designed security features but also
some weaknesses. Based on these findings,
recommendations are provided to improve the security
features of DER devices.
Index Terms cyber security, distributed energy resources,
PV inverters, control network security.
I. INTRODUCTION
Power system Supervisory Control and Data Acquisition
(SCADA) communications are generally proprietary stovepipe
systems running on dedicated communication channels with a
dependence on perimeter defenses. These networks typically
run between large centralized generators, substations, and
other utility-owned assets and the utility management system.
However, this communication network will be expanding
rapidly with the addition of interoperability requirements in
the forthcoming revision to the U.S. interconnection standard
IEEE Std. 1547 [1]. This presents an emerging fundamental
challenge in securing power systems because distributed
energy resource (DER) communications run over public and
poorly-secured private networks, and the addition of DER
devices significantly increases the electrical grid attack
surface.
In January 2017, the second installment of the Quadrennial
Energy Review (QER 1.2) focused on the electricity system
and found it was a strategic imperative to protect and enhance
the cyber defenses of the U.S. through modernization and
transformation [2]. The Department of Homeland Security
(DHS) Industrial Control Systems Cyber Emergency Response
Team (ICS-CERT), which coordinates control systems-related
security incidents, has seen increasing numbers of incidents in
recent yearswith the energy sector making up a significant
portion of these (15% in 2015) [3]-[4]. As an example of the
risk posed by these incidents, in Dec. 2015, there were
coordinated cyber-attacks on three Ukrainian Oblenergos
(distribution companies), resulting in the disconnection of
seven 110 kV and 2,335 kV substations, and power outages
affecting approximately 225,000 customers for 3 hours [5]-[6].
Historically, DER devices were programmed statically and
not designed to provide any grid-support services. However,
with the increasing penetration of solar and energy storage
systems, there is growing need to provide grid-support
capabilities, evidenced by the recent updates to California and
Hawaii interconnection rules [7]-[8] and the forthcoming full
revision to IEEE 1547. Interoperability capabilities are
common for most inverters deployed in the U.S. now. These
devices communicate over Ethernet, Wi-Fi, Bluetooth, and
serial connections using a variety of proprietary and
standardized protocols (e.g., SunSpec Modbus [9]). Enphase
Energy made headlines worldwide when it remotely updated
800,000 Inverters (154 MW of capacity) on the Hawaiian
Islands of O’ahu, Hawai’i, Moloka’i and Lana’i in 2015 [10],
[11]. While many praised the achievement as a breakthrough
for reducing the costs of retrofitting power systems, others
warned of the cyber security implications. If one company
could remotely update the settings of 100s of megawatts of
power equipment, anyone with access to that control network
would be able to make malicious changes to those devices as
well. Certain settings could damage equipment, cause
distribution overvoltages, or initiate a blackout if the
contingency reserve was not sufficient. For example, on the
island of O’ahu, there will be an estimated 400 MW of
installed PV capacity in 2017 but only 180 MW of
contingency reserves [12]. Therefore, disconnecting or
curtailing a significant portion of the solar generation on a
sunny day could cause a blackout because backup power is
sized for N-1 contingencies, not a cyber-attacks.
As DER enter the Internet of Things (IoT), there have been
some early cyber security warning signs. Upon gaining access
to a VPN tunnel established for a DC optimizer data manager,
Fred Bret-Mounet discovered 1,000 other PV devices on the
same subnet. Had he desired, he could have also remotely
disconnected these devices [13]-[14]. A large Distributed
Denial-of-Service (DDoS) attack using a botnet of IoT devices
affected many websites including Amazon, Twitter, and
Netflix in Oct. 2016 [15].
Consequently, it is imperative to secure DER
communications to provide grid reliability and resiliency.
Many DER devices communicate via unsecured serial
protocols (e.g., Modbus), so there has been an effort to
develop translators that integrate with DER to take encrypted
protocols such as OpenADR 2.0b and IEEE 2030.5 (SEP 2.0)
and only unencrypt the communications within the DER [16].
This approach mitigates the security risk because the adversary
needs physical access to the devices to subvert them. As part
of a California Solar Initiative grant, Sandia National
Laboratories (Sandia) led a team to generate cyber security
recommendations for PV Inverters using SunSpec Modbus
removable communications modules [17]. The team presented
a number of threats, vulnerabilities and high-level
recommendations for residential inverter-based DER systems
covering physical security, access control, integrity,
confidentiality, encryption, and policy.
Novel methods for detecting, mitigating, and recovering
from cyber-attacks must also be developed to counteract
rapidly evolving threats and vulnerabilities. Techniques of
identifying and removing compromised/unauthorized DERs,
segmenting DERs into resource pools to minimize damage in
the event of successful compromise, and safeguarding the
DER from mass compromise are being developed by Sandia
National Laboratories and many other research institutions.
II. CYBER ASSESSMENTS
Vulnerability assessments and penetration testing are
important milestones for securing complex systems exposed to
unsanctioned environments. Sandia has many years of
experience over a broad range of cyber assessment
applications that require strict assurances. Many of the
research and development efforts are designed to protect
critical infrastructure for the U.S. Government and private
industry.
To help protect and improve the security of DER devices in
the United States and globally, the Sandia team conducted
cyber assessments of interoperable DER devices. The cyber
assessments were designed to better understand the risks posed
by current communication practices from various vendors. The
solar and DER industry can shift toward a more secure DER
control infrastructure by addressing cyber security risks
identified during these assessments by incorporating more
security features in future hardware and software revisions.
The overall goal of the cyber assessment and penetration tests
was to take a snapshot of the security profile for exemplar
fielded equipment in order to inform the industry of security
weaknesses and provide recommendations to DER and
gateway vendors. Additionally, by going through the cyber
assessment process, a more formalized approach was
developed for conducting these studies in the future. This
procedure could be refined to create the basis of a cyber
security testing protocol in the future.
Sandia’s Information Design Assurance Red Team (IDART)
team performs physical and cyber security assessments for
government agencies using an experienced methodology [18].
Red teaming is defined as an authorized, adversary-based
assessment for defensive purposes. The cyber assessments
presented here incorporated elements of this methodology,
guidelines from the NIST Guide to Industrial Control Systems
(ICS) Security [19], ICS-CERT Practice Guide [20], and
collective expertise regarding networked PV inverters and PV
gateways.
III. LABORATORY CONFIGURATION
In order to conduct the assessments, an isolated, controlled
network was created for selected DER devices. All the
experiments were performed at the Distributed Energy
Technologies Laboratory (DETL) at Sandia National
Laboratories. The following security tests and experiments
were performed:
Network Reconnaissance
Packet Replay
Man in the Middle
Denial of Service (DoS)
Modified Firmware Upload
Maintained Logs per device
Password Handling
A network was created with two residential-scale DER
devices, clients, switches, and a red teaming station shown in
Fig. 1. Device A used a software GUI to change settings using
UDP/IP and Device B used a web-interface GUI to change
settings using TCP/IP via a gateway that then issued
proprietary commands to the DER. Security assessments and
evaluations focused on the current version of the software
installed on each device. The red team station was equipped
with Kali Linux, an open-source Linux operating system
equipped with security tools such as network scanners to probe
for vulnerabilities and network attack tools used to identify
and exploit vulnerabilities.
Fig. 1. Virtual and physical network diagram with hardware-in-the
loop test bed for red team exploration.
This report summarizes efforts undertaken to identify and
evaluate the security vulnerabilities associated with the
aforementioned devices with the aim of infiltrating and
compromising the system. The assessment findings led to
multiple recommendations to improve the security of the
system. These recommendations were provided to the DER
vendors and anonymized herein to advise the greater industry.
IV. EXPERIMENTAL RESULTS
A. Experiment 1 Network Reconnaissance
Network reconnaissance is typically the first step an
adversary takes to gain information about the system of
interest. To gather as much information as possible about the
DER devices, Nmap and OpenVAS tools running on Kali
Linux were used for vulnerability scanning and device
reconnaissance. The tools determined open ports and services
running on the DER devices by probing and scanning all valid
network ports (1- 65535), shown in Fig 2.
Fig. 2. OpenVAS port detection results on a DER device.
Network reconnaissance revealed the IP and MAC
addresses of the DER devices, operating services, the type of
system, and the open ports. The scan also identified vulnerable
services running on the open ports. An additional scan
identified that denial of service (DoS) attacks could potentially
saturate and shut down both device A and B. For device B,
multiple types of denial of service attacks were identified: two
could crash the gateway and the other reported the device was
susceptible to hub flood attacks. Hub flood attacks could aid
an adversary in sniffing data communications when the switch
turns into a learning mode. Finally, the DER scans indicated
that security patches were not up to date.
B. Experiment 2 Packet Replay
Packet replay is a network attack in which a data
transmission is maliciously replayed or repeated. This test
validated the authentication of data transfer from the DER’s
client application to the destination device. Data transmissions
between the DER client applications and the devices were
recorded, modified, and retransmitted as shown in Fig. 3.
By modifying the contents of the messages, an adversary
could enable a range of DER actions. A configured Switched
Port Analyzer (SPAN) port on a switch verified traffic
generated from the DER client applications and the devices
utilized both TCP/IP and UDP/IP transport protocols. Portions
of DER modification requests were passed in plain text, and
set point commands could be determined by inspecting the
data packets of recorded traffic. To perform the packet replay
attack, a DC disconnect voltage setting request from the client
application was captured, modified to a new set point, and re-
transmitted using an unauthenticated client script created with
a UDP/IP socket library in Python. This action bypassed the
DER client credentials needed to modify the DER. The
falsified command was accepted by the DER and DC
disconnect voltage was modified on the DER device.
Fig. 3 Packet replay attack example.
DER applications that used TCP/IP transport are more
resistant to packet replay attacks because the replay attack uses
a unique session ID that the DER device generates during the
initial three-way TCP handshake at the communication
initialization. Session IDs are unique and pseudo-randomly
generated, so they cannot be reused during a different
communication session because the DER expects another
unique session ID. Specifically, TCP/IP transport includes
additional IP header information (e.g., sequence number) that
DER applications can use to prevent packet replay attacks.
Sequence number enables the server to detect and drop
duplication of packets transferred to the DER device, which
will prevent replay attacks because the same packet cannot be
retransmitted. The number utilizes the Acknowledgement
(ACK) value in sync during the transaction shown in Fig. 4.
Sequence numbers also ensure that insertion of data in the data
stream can be detected.
Fig. 4. Example TCP/IP transaction session.
C. Experiment 3 Man in the Middle
Man in the middle attacks relay altered communications
between two or more parties. This experiment validates the
integrity and confidentiality of data communication between
the DER devices and client applications. Ettercap, a man in the
middle (MiTM) testing tool, was used to eavesdrop on
communications between the DER client and device, then
address Resolution Protocol (ARP) poisoning and port stealing
were successfully completed. ARP poisoning forced the MAC
address of the adversary to be linked with the IP address of the
victim. This technique enabled the interception of data in-
transit. (An example of this experiment is shown in Fig. 5.)
Port stealing allowed intercept and modification of data in-
transit and enabled the adversary to receive, read, and modify
data before it reached the destination. In port stealing, an
adversary often “steals” traffic that is directed to another port
of an Ethernet switch. This attack allows the adversary to
receive packets that were originally directed to another
computer. ARP poisoning and port stealing resulted in data
interception on both devices.
Fig. 5. MiTM attack on a DER device using Ettercap.
D. Experiment 4 Denial of Service (DoS)
Denial of service attacks result from flooding the bandwidth
or resources of the targeted system to cause severe latency,
disruption of control flow, or cause intermittent connections.
In a DoS attack, the adversary increases the amount of time to
issue responses by submitting abnormally fast traffic to open
ports on the DER device. This attack continuously flooded the
DER devices with orchestrated packets. In addition, this type
of attack can make the DER device unavailable for access to
legitimate users as shown in Fig. 6.
This test validates the availability of data transferred
between the DER client and devices. There was latency
between the client application command and the DER device
response. It took approximately 100 ms to submit various
requests and receive responses from Device A, and 200 ms
from Device B. These requests included the following:
Passwords used to gain access
Device name change
Device configurations
Successful DoS attacks were demonstrated on Devices A
and B, whereby the connection time to DER devices was
significantly increased. This was accomplished by using a
Python module and a bash script to continuously send packets
every 100 ms. During the DoS attack, the legitimate user could
not connect to the DER, read data points, or make
modifications with the DER client. After the DoS attack, the
DER client applications needed to be reconnected to make
modifications to the DER.
Fig. 6. Example DoS attack to a DER device.
E. Experiment 5 Modified Firmware Upload
Modified firmware attacks surreptitiously change the overall
functionality of the DER. This test validates the integrity and
authentication of the firmware update process of DER
embedded systems. Firmware updates can often be performed
either locally or remotely, through an Ethernet, Wi-Fi, USB
connection via an FTP, or telnet session. The two DER
devices were tested to ascertain whether a malicious user could
load unauthorized firmware.
In these experiments, firmware update files were obtained
from the device manufacturers. These files were modified in a
hexadecimal editor, changing either single byte values of
known parameters in readable sections of the code, or
randomly selected bytes in code that was not human readable.
In all types of modifications, the end-devices successfully
rejected the modified firmware.
Device A’s rejected upgrade halted, most likely due to a
cyclic redundancy check (CRC). Any intentional modification
to the firmware would require the correct identification and
recalculation of a valid CRC value for the modified file, as
shown in Fig. 7. CRC algorithms are designed for error
detection, not security, and there exist mathematical tools for
reversing CRCs. Falsifying the CRC requires insight into the
CRC polynomial and other parameters used, as well as
discovering what segments of the file to input to the CRC
computation.
Fig 7. Example firmware creation process
The firmware file for Device B contained no human
readable code. A high entropy measure of the file indicated
that the data was likely encrypted. An update with a randomly
modified data byte failed, necessitating a restart of the user
interface. The device upgrade appeared to be secured by
means of both encryption and authentication. However, the
device was seen to have loaded and decrypted the file prior to
rejecting the modified upgrade. Better practice would
authenticate a file prior to decryption so as to prevent
emplacement of malicious code on the device.
Another Device B firmware file with no readable code was
randomly modified and submitted via the network as a device
update. In this case, the device ceased communicating without
warning and could only be recovered with a local
configuration method. The modified firmware upload had
failed, however the failure or protection mechanism was not
conveyed to the user. Regardless of the cause, this test
revealed that network access allowed an inappropriate upload
to “brick” the device. Access must therefore be carefully
managed on networked devices.
F. Experiment 6 Maintained Logs per Device
Per NIST [19], “Without proper and accurate logs, it might
be impossible to determine what caused a security event to
occur.” The two devices were found to store event logs in local
memory and this evaluation inspected the devices for proper
bookkeeping practices. The manufacturers monitoring
software packages were used to display the available logs of
DER events. Logged events on the devices included
communication device connection attempts and status, self-test
results, DER parameter modifications, and grid status.
Information in device A’s logs were more accurate, including
the date and time, the type, description, and source of the
event.
However, in both devices, there was a limit to the number of
events stored in local memory. It is unknown how typical
operators archive the logs to maintain history for auditing. A
solution to this issue can be accomplished by prompting the
user to export logs once a certain memory usage is reached. In
addition, stored logs should be protected from unattributed
modification. Modifying stored logs can misguide auditing
procedures, thus preventing an accurate case study. It is
incumbent upon the user to change default passwords and
control their use. A security event might not be tracked down
if past events are not fully archived and attributable.
G. Experiment 7 Password Handling
The password handling experiment determined if passwords
were transferred in plaintext on the DER network. The
experiment investigated the login and “password
update/change” functions on the DER devices.
The gateway associated with Device B used unsecured web
authentication mechanisms and had its passwords captured in
plaintext using a network traffic analyzer tool. The login
credentials of Device A were not transferred in plaintext.
However, critical information for this DER, such as the serial
IDs and device names, were transferred in plain text. An
adversary could potentially gain insight from this information
and formulate a cyber-attack. In addition, passwords used for
the update/change function were transferred in plaintext on
both devices. Modified passwords were captured in plaintext
in the “password update/change packet while eavesdropping
on the network, shown in Fig. 8.
Fig. 8. Network capture of a password during the update/change
function.
H. DER Assessment Summary and Recommendations
Scanning the DER network, host device ports, and services,
and performing red team analyses identified cyber security
vulnerabilities in the interoperable DER. The findings of this
assessment are summarized in Table I.
TABLE I
DER CYBER ASSESSMENT COMPARISON
Device A
Device B
Protocol
UDP/IP
TCP/IP
Analyzed Interface
Ethernet
Ethernet
Reconnaissance
Packet Replay
x
o
MiTM
x
x
DoS
x
x
Mod Firmware
o
o
Prevalent Logs
x
x
Password Handling
x
x
x = Exploits Exist, = Successful, o = Incomplete
As part of the assessment, multiple recommendations were
collated to assist the PV and DER community mitigate cyber
weaknesses in the control networks. It is recommended to:
Encrypt data exchanges and do not pass information in
plaintext.
o Use of telnet for remote logins should be
discontinued or upgraded to the latest version,
sTELNET.
o Applications such as FTP should be replaced with
another secure file transfer system, FTP-SSL.
Secure password strategies and policies should be
implemented and enforced for all system users. Require
these credentials to be different for privileged access.
Utilize practical firewall rules to mitigate the effects
associated with Denial of Service attacks and
unauthorized access to DER network.
Lock MAC address on the network devices and on each
port of a switch to prevent receiving unauthorized traffic.
Implement the AAA framework: Authentication,
Authorization, and Accounting.
o Authentication: Ensure users, devices, and
applications attempting to access system resources
are valid and trusted.
o Accounting: Ensure all devices and systems are
accounted for cyber security best practices.
o Authorization: Ensure users, devices, and
applications attempting to access system resources
are authorized for access.
Practice Principle of Least Privilege.
o Every module (such as a process, a user, or a
program, depending on the subject) must be able to
access only the information and resources that are
necessary for its legitimate purpose.
o If a user or resource no longer needs access to
perform a legitimate task, disable their access.
o Disable all ports that are not being used for normal
operation.
V. CONCLUSION
DER devices are increasingly being connected to internet
networks to exchange information with utilities, aggregators,
financial institutions, and grid operators. New interconnection
standards in the US will soon require DER devices to include
adjustable DER grid-support functions. The confluence of
these two trends exposes the grid to new cyber security risks
because adversaries could change DER functions through the
public internet if the DER control networks are not properly
secured. Sandia National Laboratories has conducted a cyber
security assessment of two residential-scale interoperable DER
devices to better understand the state-of-the-art for DER
communication systems. The team found multiple security
weaknesses that could be exploited to gain access or control of
DER devices. These findings have been shared with the device
vendors to take corrective actions and with the solar industry
in anonymized form to provide example concerns, best
practices, and recommendations for improving the cyber
security posture of the DER devices and US power system as a
whole.
ACKNOWLEDGEMENT
This research was funded by the U.S. Department of
Energy’s SunShot National Laboratory Multiyear Partnership
Program. Sandia National Laboratories is a multi-mission
laboratory managed and operated by National Technology and
Engineering Solutions of Sandia, LLC., a wholly owned
subsidiary of Honeywell International, Inc., for the U.S.
Department of Energy's National Nuclear Security
Administration under contract DE-NA-0003525.
REFERENCES
[1] IEEE 1547 Std. 1547-2008, "IEEE Standard for
Interconnecting Distributed Resources with Electric
Power Systems," Institute of Electrical and Electronics
Engineers, Inc., New York, NY.
[2] Quadrennial Energy Review (QER), “Transforming the
Nation’s Electricity System.” January 6, 2017.
[3] National Cybersecurity and Communications Integration
Center/Industrial Control Systems Cyber Emergency
Response Team, Year in Review, FY 2015.
[4] Industrial Control Systems Cyber Emergency Response
Team, ICS-CERT Year in Review, 2014.
[5] K. Zetter, “Inside the Cunning, Unprecedented Hack of
Ukraine’s Power Grid,” Wired, March 3, 2016.
[6] E-ISAC, Analysis of the Cyber Attack on the Ukrainian
Power Grid: Defense Use Case, March 18, 2016.
[7] Pacific Gas and Electric Co., Electric Rule No. 21,
Generating Facility Interconnections, Filed with the CPUC,
Jan. 20, 2015.
[8] Hawaiian Electric Company, Inc. Rule No. 14, Service
Connection and Facilities on Customer’s Premises, D&O
No. 33258 filed Oct. 12, 2015, effective Oct. 21, 2015.
[9] SunSpec Alliance, SunSpec Technology Overview,
SunSpec Alliance Interoperability Specification, v 1.4.
[10] P. Fairley, 800,000 MicroInverters Remotely Retrofitted on
Oahuin One Day, IEEE Spectrum, 5 Feb 2015.
[11] A. Konkar, ‘Something Astounding Just Happened’:
Enphase’s Grid- Stabilizing Collaboration with Hawaiian
Electric, Enphase Energy blog, 11 Mar, 2015.
[12] GE Energy Consulting, Oahu Distributed PV Grid Stability
Study, Part 1: System Frequency Response to Generator
Contingency Events, March 3, 2016.
[13] T. Fox-Brewster, “This Man Hacked His Own Solar
Panels... And Claims 1,000 More Homes Vulnerable,”
Forbes, Aug. 1, 2016.
[14] F. Bret-Mounet, “All Your Solar Panels are Belong to Me,”
DEF CON 24, Las Vegas, Aug 4-7, 2016.
[15] K. Leswing, A massive cyberattack knocked out major
websites across the internet, Business Insider, 21 Oct, 2016.
[16] B. Seal, et al., “Final Report for CSI RD&D Solicitation #4
Standard Communication Interface and Certification Test
Program for Smart Inverters,” June 2016.
[17] J. Henry, et al., Cyber Security Requirements and
Recommendations for CSI RD&D Solicitation #4
Distributed Energy Resource Communications, Oct 2015.
[18] Sandia National Laboratories, The Information Design
Assurance Red Team (IDART™), 2009. URL:
http://www.idart.sandia.gov/
[19] K. Stouffer, V. Pillitteri, S. Lightman, M. Abrams, A.
Hahn, “Guide to Industrial Control Systems (ICS)
Security,” NIST, May 2015.
[20] DHS, ICS-CERT, Recommended Practices, May 22,
2017. URL: https://ics-cert.us-cert.gov/Recommended-
Practices
... Reconnaissance is usually the first step to launching a cyberattack on a smart inverter. It utilizes some network scanning tools, e.g., Nmap, OpenVAS, etc., running on the attacker-side devices to get information about the inverter, including the IP and MAC addresses, open ports, operating services, some identified vulnerabilities, and the condition of the security patches [42]. In [42], the author found the tested inverter is susceptible to DoS attacks, which will be exploited by attackers to manage the next action. ...
... It utilizes some network scanning tools, e.g., Nmap, OpenVAS, etc., running on the attacker-side devices to get information about the inverter, including the IP and MAC addresses, open ports, operating services, some identified vulnerabilities, and the condition of the security patches [42]. In [42], the author found the tested inverter is susceptible to DoS attacks, which will be exploited by attackers to manage the next action. ...
... 2) Replay Attacks: Replay attack is a scheme in which data transmission is recorded, then resent (with potential modification by attackers). Researchers from the Sandia National Laboratories executed this type of attack on two different inverters with UDP/IP and TCP/IP protocols, respectively, using the SPAN tool to modify the DC disconnection voltage setting command sent from the client-side [42]. The results showed that the falsified commands over UDP/IP protocol were accepted by the inverter but rejected over TCP/IP protocol. ...
Article
Full-text available
The penetration of distributed energy resources (DER) in smart grids significantly increases the number of field devices owned and controlled by consumers, aggregators, third parties, and utilities. As the interface between DER and power grids, DER inverters are becoming smarter with various grid-support functions and communication capabilities. Meanwhile, the cybersecurity risks of smart inverters are also on the rise due to the extensive utilization of information and communication technologies (ICT). The potential negative impacts of cyberattacks on smart inverters have attracted significant attention from scholars and organizations. To advance the research on smart inverter cybersecurity and provide insights into its technical achievements, barriers, and future directions, this paper will give a comprehensive review of critical attacks and defense strategies for smart inverters and inverter-based systems like microgrids. We start this survey with an overview of the smart inverter introduction, including device- and grid-level architectures, grid-support functions, and communication protocols. We then review various cyberattacks and defense strategies in different categories and scenarios tailed with discussions including their feasibility and remaining gaps. Finally, we discuss the opportunities and challenges of emerging technologies that can secure smart inverters. We hope this survey can inspire efforts to close research gaps and develop more mature cybersecurity solutions for smart inverters in the smart grid.
... For instance, some attacks might have to be performed iteratively and reproduced multiple times to compromise the system behavior. This could be the case with packet replay, DoS, and MitM attacks, where attacks might aim to spoof DER communications or exhaust DER protocols and/or device resources causing intermittent, slow or loss of communication thereof [38]. The attack functional level and the targeted DER assets notably differ when considering communication protocol and device attacks. ...
... We refer to mission-critical system assets which can jeopardize grid operation if maliciously compromised by threat actors as crown jewels [41]. Crown jewels span the ICT infrastructures, such as the stakeholder-to-DER device communication channels [38], physical-interfaces [36], and the DER devices themselves. Notably, DER devices include PV inverters or smart inverters [32], battery energy storage systems, EVs, wind turbines [35], demand-side loads [42], and DER controllers. ...
... Packet Replay Data transmissions between DER client applications and the DER devices are recorded, modified, and retransmitted by attackers at different time instances. [38], [44] Supply-chain Adversary adds malware during either the component manufacturing, system integration, shipping, or installation stages. The malware can be weaponized remotely to perform unauthorised/unintended actions. ...
Preprint
Full-text available
The digitalization and decentralization of the electric power grid are key thrusts towards an economically and environmentally sustainable future. Towards this goal, distributed energy resources (DER), including rooftop solar panels, battery storage, electric vehicles, etc., are becoming ubiquitous in power systems, effectively replacing fossil-fuel based generation. Power utilities benefit from DERs as they minimize transmission costs, provide voltage support through ancillary services, and reduce operational risks via their autonomous operation. Similarly, DERs grant users and aggregators control over the power they produce and consume. Apart from their sustainability and operational objectives, the cybersecurity of DER-supported power systems is of cardinal importance. DERs are interconnected, interoperable, and support remotely controllable features, thus, their cybersecurity should be thoroughly considered. DER communication dependencies and the diversity of DER architectures (e.g., hardware/software components of embedded devices, inverters, controllable loads, etc.) widen the threat surface and aggravate the cybersecurity posture of power systems. In this work, we focus on security oversights that reside in the cyber and physical layers of DERs and can jeopardize grid operations. We analyze adversarial capabilities and objectives when manipulating DER assets, and then present how protocol and device -level vulnerabilities can materialize into cyberattacks impacting power system operations. Finally, we provide mitigation strategies to thwart adversaries and directions for future DER cybersecurity.
... Commonly used protocols present some severe vulnerabilities [1]. In particular, they usually lack of encryption and authentication, so that is possible to carry out Man In The Middle (MIIT) attacks [2] [3]. Furthermore, electrical protections are related to severe risks in the power system, so that an attack against a single relay may cause cascading effects, leading to the disconnection of a large portion of distribution grids. ...
... Electrical SCADA systems are mostly based on industrial protocols, such as Modbus and IEC 61850, which lend themselves to severe vulnerabilities [1]. The main issue is that they lack encryption and authentication, so they are prone to Man In The Middle (MIIT) attacks [2,3]. An evaluation of attack scenarios against DERs, a systematic DER resilience analysis methodology, as well as quantifiable resilience metrics and design principles, are proposed in [4]. ...
Article
Full-text available
Distributed Energy Resources (DERs) are growing in importance Power Systems. Battery Electrical Storage Systems (BESS) represent fundamental tools in order to balance the unpredictable power production of some Renewable Energy Sources (RES). Nevertheless, BESS are usually remotely controlled by SCADA systems, so they are prone to cyberattacks. This paper analyzes the vulnerabilities of BESS and proposes an anomaly detection algorithm that, by observing the physical behavior of the system, aims to promptly detect dangerous working conditions by exploiting the capabilities of a particular neural network architecture called the autoencoder. The results show the performance of the proposed approach with respect to the traditional One Class Support Vector Machine algorithm.
... While such mature guidelines have been already proposed in the ICT domain [13], the standardization efforts in CPS are still in progress. For example, while DERs are increasingly used in SG, they often fail to meet the critical infrastructure protection security requirements [117][118][119] established by the North American Electric Reliability Corporation (NERC) in [120]. ...
Article
Full-text available
Smart grids (SG) draw the attention of cyber attackers due to their vulnerabilities, which are caused by the usage of heterogeneous communication technologies and their distributed nature. While preventing or detecting cyber attacks is a well-studied field of research, making SG more resilient against such threats is a challenging task. This paper provides a classification of the proposed cyber resilience methods against cyber attacks for SG. This classification includes a set of studies that propose cyber-resilient approaches to protect SG and related cyber-physical systems against unforeseen anomalies or deliberate attacks. Each study is briefly analyzed and is associated with the proper cyber resilience technique which is given by the National Institute of Standards and Technology in the Special Publication 800-160. These techniques are also linked to the different states of the typical resilience curve. Consequently, this paper highlights the most critical challenges for achieving cyber resilience, reveals significant cyber resilience aspects that have not been sufficiently considered yet and, finally, proposes scientific areas that should be further researched in order to enhance the cyber resilience of SG.
Article
High penetration of renewable and sustainable Distributed Energy Resources (DER) into the traditional distribution system requires a well-coordinated control strategy for the improvement of system-wide reliability and resiliency. Implementation of such a holistic control architecture requires a flexible, near real-time, and bi-directional communication framework for facilitating the participation of various agents in a multi-vendor heterogeneous smart grid. While the sustainability of energy generation is ensured, this exposes the smart grid to extrinsic cyber threats, and appropriate defense mechanism(s) must be deployed to guarantee continued reliability and resiliency of the power grid. The comprehensive literature review presented in this paper discusses the latest trends in the DER control schemes with fast communication requirements and their accompanying cyber–physical vulnerabilities. These control schemes are compared and contrasted for various traits. A three-level DER system architecture has been depicted, facilitating the deployment of these control schemes. The current developments of standard communication protocols, key security mechanisms, and best practices along major standards and guidelines are explored. The impacts of different attack types with miscellaneous DER functions based on various control schemes and associated mitigation solutions are also provided. Finally, challenges and future research directions for limiting cyber-power susceptibility to enhance resiliency are summarized. The work presented here will help us enabling a cyber-resilient and sustainable smart electric grid.
Article
The electric grid modernization effort relies on the extensive deployment of microgrid (MG) systems. MGs integrate renewable resources and energy storage systems, allowing to generate economic and zero-carbon footprint electricity, deliver sustainable energy to communities using local energy resources, and enhance grid resilience. MGs as cyberphysical systems include interconnected devices that measure, control, and actuate energy resources and loads. For optimal operation, cyberphysical MGs regulate the onsite energy generation through support functions enabled by smart inverters. Smart inverters, being consumer electronic firmware-based devices, are susceptible to increasing security threats. If inverters are maliciously controlled, they can significantly disrupt MG operation and electricity delivery as well as impact the grid stability. In this paper, we demonstrate the impact of denial-of-service (DoS) as well as controller and setpoint modification attacks on a simulated MG system. Furthermore, we employ custom-built hardware performance counters (HPCs) as design-for-security (DfS) primitives to detect malicious firmware modifications on MG inverters. The proposed HPCs measure periodically the order of various instruction types within the MG inverter’s firmware code. Our experiments illustrate that the firmware modifications are successfully identified by our custom-built HPCs utilizing various machine learning-based classifiers.
Transforming the Nation's Electricity System
Quadrennial Energy Review (QER), "Transforming the Nation's Electricity System." January 6, 2017.
Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid
  • K Zetter
K. Zetter, "Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid," Wired, March 3, 2016.
Electric Rule No. 21, Generating Facility Interconnections, Filed with the CPUC
  • Pacific Gas
  • Electric Co
Pacific Gas and Electric Co., Electric Rule No. 21, Generating Facility Interconnections, Filed with the CPUC, Jan. 20, 2015.
Service Connection and Facilities on Customer's Premises, D&O No. 33258 filed
  • Company Hawaiian Electric
Hawaiian Electric Company, Inc. Rule No. 14, Service Connection and Facilities on Customer's Premises, D&O No. 33258 filed Oct. 12, 2015, effective Oct. 21, 2015.
000 MicroInverters Remotely Retrofitted on Oahu-in One Day
  • P Fairley
P. Fairley, 800,000 MicroInverters Remotely Retrofitted on Oahu-in One Day, IEEE Spectrum, 5 Feb 2015.
Something Astounding Just Happened': Enphase's Grid-Stabilizing Collaboration with Hawaiian Electric
  • A Konkar
A. Konkar, 'Something Astounding Just Happened': Enphase's Grid-Stabilizing Collaboration with Hawaiian Electric, Enphase Energy blog, 11 Mar, 2015.
Oahu Distributed PV Grid Stability Study, Part 1: System Frequency Response to Generator Contingency Events
  • Consulting Ge Energy
GE Energy Consulting, Oahu Distributed PV Grid Stability Study, Part 1: System Frequency Response to Generator Contingency Events, March 3, 2016.
And Claims 1,000 More Homes Vulnerable
  • T Fox-Brewster
T. Fox-Brewster, "This Man Hacked His Own Solar Panels... And Claims 1,000 More Homes Vulnerable," Forbes, Aug. 1, 2016.
All Your Solar Panels are Belong to Me
  • F Bret-Mounet
F. Bret-Mounet, "All Your Solar Panels are Belong to Me," DEF CON 24, Las Vegas, Aug 4-7, 2016.
A massive cyberattack knocked out major websites across the internet
  • K Leswing
K. Leswing, A massive cyberattack knocked out major websites across the internet, Business Insider, 21 Oct, 2016.