Utilities have a challenging time quantifying the cybersecurity riskiness of the energy transition. A new tool in development aims to help.
The National Renewable Energy Laboratory is working to expand the application of its Cyber100 Compass tool to model risks to energy system upgrades. While still in the proof-of-concept stage, the project could eventually help utility planners make data-informed investments based on cybersecurity implications.
NREL is currently seeking feedback from utilities to support the development of the tool.
“Right now, there’s a lot of uncertainty about how risky the transition is,” said Maurice Martin, senior cybersecurity researcher at NREL. “It’s hard for utilities to know what kind of risk level they’re exposing themselves to, and that uncertainty can have a cooling effect.”
The energy transition’s shift toward a more distributed energy system increases the number of potential entry points for would-be attackers.
The FBI recently warned that the growing prevalence of inverter-based resources could mean more avenues of attack for malicious actors. Earlier this year, the agency said federal officials broke up an effort by Chinese government hackers to launch malware attacks on electric grids, water treatment plants, and transportation systems in the U.S.
Nearly 38% of 445 utility companies globally had weak cybersecurity management programs as recently as 2022, according to research by Morningstar Sustainalytics. Among the recorded incidents affecting the companies tracked by the firm, most cybersecurity incidents in the utilities sector involved breaches that compromised thousands of customers’ personal information. Some attacks, however, have led to service disruptions. For example, Luma Energy, a grid operator in charge of modernizing the power infrastructure in Puerto Rico, suffered a cyberattack in 2021 that blocked users from accessing their customer portal accounts during outages.
Quantifying the cybersecurity risks for future energy systems is currently an understudied and increasingly critical area of risk management, NREL said. The Cyber100 Compass application offers a novel approach for assessing and quantifying the impacts of cyberattacks on future power systems with high deployments of renewables.
The platform aggregates data inputs from subject matter experts in power systems, cybersecurity, and risk management on the probabilities for different cyber-physical events, the impact of an event, and the degree to which various system conditions might change the likelihood of cyber-physical events occurring.
The tool can provide users with a risk tolerance curve that visualizes a utility’s willingness to accept certain levels of risk based on the financial losses that could occur from a cyberattack. The risk tolerance curve can help users determine whether their system development plans are on track or are leading them toward unacceptable levels of risk.
