The massive growth in renewable energy sources in recent years offers great opportunities for the energy industry in creating new and more advanced power systems, as well as hitting decarbonization targets. However these developments are not without challenges, and distributed energy resources, with systems in different locations, introduce greater security risks to operators.
Conventional power plants usually use buried fiber-optic cables for communications between supervisory control and data acquisition (SCADA) systems and their network of remote assets. This approach is generally secure but can be very costly. For solar PV installations, wind turbine farms and other renewable generation sources – which may be located in remote areas – this type of communications infrastructure is normally too expensive. Instead, many energy providers turn to wireless cellular networks, which are low-cost but not as secure.
This is why, in 2023, the Federal Energy Regulatory Commission (FERC) approved North American Electric Reliability Corporation’s (NERC) Reliability Standard CIP-003-9, which increases cybersecurity requirements for low-impact bulk electric system (BES) assets.
Organizations with assets containing low-impact BES cyber systems must have methods for determining and disabling vendor remote access and for detecting malicious communications for vendor remote access. These systems must be implemented by April 1, 2026.
The optimal approach to remote access cybersecurity is multi-party trust, which enables administrators to grant access in a very granular way. Multi-party trust solutions allow ICT managers to set up ‘trust rules,’ or policies that say who can access or even modify every device on that network.
To move beyond perimeter-based security, DER administrators will need to implement Zero Trust Architecture (ZTA) solutions, which have strict access controls, continuous monitoring, and verification of identity and access, all of which align with the broader goals of the new NERC CIP
standards. A data-centric approach that uses multi–party trust solutions builds upon the current regulations and ensures energy providers have the latest cybersecurity defenses.
With secure-by-design solutions, such as multi-party trust and data-centric networking, operators can achieve high levels of security without overbearing financial or staffing requirements.