Scaling Up, Staying Secure

Assessing the Cyber Risks of Distributed Energy Resources in the Smart Grid

More Info


Distributed Energy Resources (DER), like solar panels, are projected to take over power generation responsibilities. This will happen during the transition of the current power grid to the Smart Grid. Due to the importance of this power to society, it is crucial that the grid stays stable.

DER devices are similar to IoT devices in scale, low user interaction and the use of firmware. IoT cyberattacks have been shown to have the ability to scale horizontally quickly. A vulnerability in DER devices could lead to such a scalable attack if the market for DER is oligopolistic. Due to the same underlying economic drivers such as economy-of-scale, market-for-lemons, first-mover-advantage and tragedy-of-the-commons, DER devices will likely have the same issues as IoT devices had if nothing is changed.

This research focuses on the role of the grid’s transition state and the DER market’s state in introducing this risk. Eight thousand one hundred (8100) scenarios were created based on a combination of parameters describing these states. An agent-based model created for this research simulated the grid and obtained the required data.

Results indicate that the grid and market parameters can introduce a cyber risk into the Smart Grid. The results show that if 5% of the households are infected, an attacker could abuse them to manipulate the grid, perhaps a blackout.

Furthermore, related work did not show any references to this particular risk and some proposed grid monitoring solutions include the usage of neighbouring DER to monitor. An attack of this nature would be able to manipulate such a monitoring solution. If the risk of an oligopolistic DER market is not considered, the Smart Grid may not have any ways of effective monitoring or mitigation.

Recommendations for policymakers and regulators were made as part of this research. The first recommendation is to allow the collection of real-time information on the grid-connected DER by grid operators. Furthermore, consideration has to be made to the usage of forced patching on DER. A delay in patching could impact the grid too much. Finally, the recommendation is to develop a policy on the local diversity of DER.  Devices with the same firmware should not be allowed to obtain a critical mass in a region.