Part of Grid Network »

The Grid Professionals Group covers electric current from its transmission step down to each customer's home. 


The Importance of Security in a Utility Industry That’s Increasingly Distributed

image credit: Photo 130780840 © Leowolfert - Dreamstime
Danish Saleem's picture
Senior Cybersecurity Systems Researcher National Renewable Energy Laboratory

Danish Saleem serves as DER Cybersecurity Standards Lead in the Energy Security and Resilience (ESR) center of National Renewable Energy Lab (NREL). He works with the public and private sector to...

  • Member since 2019
  • 9 items added with 5,623 views
  • Aug 26, 2019 7:00 pm GMT

This item is part of the Special Issue - 2019-09 - Distributed Energy Resources, click here for more

The smart grid cyber-physical system has digital technologies coexisting with legacy power system devices, and its distribution network has been equipped with intelligent electronic devices and advanced metering infrastructure to enhance energy efficiency, support increased penetration levels of distributed energy resources (DERs), and enable command and control functionalities down to the customer level. This leads to a potentially larger attack surface and an increased susceptibility to potential cyber-physical attacks.

The infrastructure of DERs was originally designed with the primary intention of harnessing the potential of renewable energy. For such a setting, security at the device, network, or application levels of DERs was of little to no concern. The growing penetration levels of DERs has increased the overall attack surface of critical infrastructure such as smart grids. The lack of in-place security controls has led to many successful cyber-physical attacks over the last five years (REF1).

Your access to Member Features is limited.

Utilities have traditionally relied on intrusion detection and prevention systems (ID/PS), firewalls and other tools to protect the bulk of their resources, but such tools are limited to signature-based malware detection and fail against data fuzzing, stealthy attacks, and insider threats. Further, poor cybersecurity business processes are in place for analysts to follow while integrating new products into their trusted networks. A business process is a set of activities that drives an organization toward its mission. This is more crucial for electric utilities as they are driven by the mission to provide reliable and safe power to meet dynamic consumer demands at all times.

In the emerging age of the industrial Internet of Things and DERs, threat landscapes of information technology (IT) and operational technology (OT) have become intertwined, with data at the core. The information assurance (IA) model posits three dimensions of security, each with multiple characteristics: 1) security goals: confidentiality, integrity, availability, accountability, possession, and utility; 2) state of information: information stored, processed, or transmitted; and 3) security countermeasures: technology (commercial off-the-shelf or in-house), assessments, and human factors. The holistic multidimensional framework shown in the below figure imbibes these dimensions of IA model in its solution dimensions shown on the right, which cohesively address the three levels of security. The primary aim of such a framework is to not only secure the energy systems holistically but to also protect the critical infrastructure from cyberattacks:

1) Device-level: security of the physical devices and their interfaces (user and machine)

2) Communications-level: security of the communications medium that the devices use to send and receive packets

3) Application-level: security of the processing and analytical applications that deliver high-end insights to analysts and operators

The proposed framework places multiple security technologies at different layers of the Open Systems Interconnect (OSI) stack, enforces sound assessments, and embeds intelligent algorithms to ensure a strong security posture.

To develop, research, and implement the holistic multidimensional framework for DERs, NREL has been collaborating with Dr. Arif I. Sarwat, Director of the Energy, Power & Sustainability (EPS) Group of the Florida International University (FIU), Miami, which conducts advanced research to solve specific challenges in smart grids, renewable integration, big data analytics, and cybersecurity. This collaborative work primarily involves lab-scale simulations and tests to study the impacts of employing such a framework on larger and massively integrated systems, and then conducting field validations.

In addition to this, NREL is also collaborating with government and industry partners— including SunSpec Alliance, UL, National Electrical Manufacturers Association, IEEE 1547 standard working group, IEEE P2030 standard working group, IEC Technical Committee 57 Working Group 15, Smart Electric Power Alliance Smart Grid Cybersecurity Committee, and NIST Smart Grid Program— to support the development of a national/international standard to ensure that DERs have minimum cybersecurity policies, controls, and procedures that maximize the strengths of authentication, authorization, and integrity of the data, communications, and exchange of information.

To read more about these, and other, NREL efforts to bolster the cybersecurity of DERs, see these publications:


Co-authored by: 

Danish Saleem, Energy Security & Resilience Center, National Renewable Energy Laboratory

Aditya Sundararajan, Electrical and Computer Engineering Department, Florida International University


Danish Saleem's picture
Thank Danish for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member
Spell checking: Press the CTRL or COMMAND key then click on the underlined misspelled word.
Richard Brooks's picture
Richard Brooks on Aug 26, 2019

Good article, but I'm somewhat surprised there is no mention of NREL working with the two standards bodies serving the Elertric Industry with regard to cybersecurity standards, NERC (, with their CIP standards, and NAESB ( ), with their PKI and Smart Grid standards.

Also, FERC Order 850 contains specific requirements to verify software object authenticity and integrity, effective July 1, 2020, which was not mentioned.

Danish Saleem's picture
Danish Saleem on Aug 26, 2019

Hi Richard. Glad that you liked it.
I am sure that someone within NREL must be working with NERC and NAESB but I am not aware of that . NREL is huge and almost 2000 people work here so sometimes it is difficlut to keep a track of other people work. This article is focused on the reserach that I am doing at NREL and the standard developement organziations with whom I am connected with. I do plan to start coordination with NERC. I already started engagement with NARUC and hopefully soon I will start discussion with NERC CIP committee. 

Richard Brooks's picture
Richard Brooks on Aug 28, 2019

Thanks Danish. You may also find it beneficial to share your work with NAESB's cybersecurity subcommittee. Thanks for responding.

Matt Chester's picture
Matt Chester on Aug 27, 2019

The primary aim of such a framework is to not only secure the energy systems holistically but to also protect the critical infrastructure from cyberattacks:

1) Device-level: security of the physical devices and their interfaces (user and machine)

2) Communications-level: security of the communications medium that the devices use to send and receive packets

3) Application-level: security of the processing and analytical applications that deliver high-end insights to analysts and operators

I really appreciate this framing, Danish. One question it brings up for me is this: how do utilities best approach the cybersecurity questions when it comes to items they've outsourced to third parties-- whether applications, devices, etc.? Surely the responsibility is on the energy providers to vet the solutions they choose, but how deep does that vetting tend to go and do you think it's sufficient?

Danish Saleem's picture
Danish Saleem on Aug 27, 2019

I am glad that you actually asked this question. I think I have asked the same question 100 times either to myself or to others. So buckle up as this is going to be a big repsonse!

What I have understood, based on my research in last 4 years, is that manufacturers might not consider to add cybersecure functionlaities in their products if their clients (which in this case let's say are Utilities) will not ask them to do so. So how this is going to change ?? I am working with UL to establish a standard and a certification that manufacturers can use to take help for establishing secure functionalities in their products (from standrad) and can also use to certify their products once they are sure that the functionalities which are required by the standard are part of their product design (using certification). 

Now on the other hand, utiltities need to play a big role over here by adding the language in their request for proposal (RFP) that matches the language of UL standard. So that when manufacturers respond to utiltites RFP, they can see that utiltities are demanding cybersecure functionalities to be part of the product which they will eventually want to purchase.

Now I do understand that it would be a long debate in otrder to bring the industry people on one page and have them agree to certian basic level of cybersecurity functionalities. But that is the job of standard development organizations (SDOs). They need to carry out this work the betterment of industry.  

Matt Chester's picture
Matt Chester on Aug 28, 2019

Thanks for your thoughtful response, Danish-- I can appreciate you've spent a lot of time on this issue, so your insights are quite valuable

Richard Brooks's picture
Richard Brooks on Aug 29, 2019

Totally agree. FERC Order 850 mandates implementation of the NERC Supply Chain standards, CIP-013 for this very purpose. These regulations take effect on July 1, 2020.

Richard Brooks's picture
Richard Brooks on Nov 20, 2019

Danish, I'm looking forward to atteding your session at the IEEE Smart Grid Cybersec workshop in Atlanta on 12/12-13. See you in Atlanta:

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »