Security in virtual power plants & DER management

Get the full white paper

Standardisation & the role of edge computing in DER management

Distributed energy is the future of Australia’s electricity system. The Australian Energy Networks Association (AENA) anticipates that by 2027 40% of energy consumers will have a distributed energy resource (DER) on site. This number is expected to surge to nearly 70% by 2050. Industry bodies such as the Australian Energy Market Operator (AEMO) and Australian Energy Market Commission (AEMC) - among others - have made similar projections. Many of these will take part in virtual power plant (VPP) programs, which reward system owners for supplying services into the energy system.

While DERs have been revolutionary for consumer choice and the ‘democratisation of energy’, their rise poses a number of unprecedented challenges to the electricity system, with risks for individuals, businesses, operators and the system as a whole if not managed proactively and effectively. These challenges fall into two broad categories: Complexity and security.

This article - part of SwitchDin’s forthcoming white paper about standardisation in the distributed energy space - investigates how edge computing solutions like SwitchDin’s will help energy companies to address the second of these two challenges, security, incorporating both energy system stability and cyber security. Part one of this series covers the issue of complexity.

DER management challenge: Security

The NEM is the ‘biggest machine in the world’, servicing the majority of Australia’s population of about 25 million people. The NEM is designed to work from the top down, delivering electricity generated by a small number of large-scale generators across thousands of kilometers of ‘poles and wires’ to meet the energy needs of consumers - mainly homes, businesses and industry. (The Wholesale Energy Market (WEM) is the NEM’s Western Australian counterpart, services a smaller and more sparsely distributed population but is currently facing similar challenges.)

The advent of commonplace rooftop solar has turned this system on its head. Twenty percent of Australian homes now have a solar photovoltaic (PV) system, making them generators as well as loads; power flows can now be bi-directional.

This transformation has enormous implications for the security of the energy system, both in terms of:

1. The way that high penetrations of unmanaged DERs can impact the physical stability of the grid (which must always maintain the energy supply/demand balance); as well as

2. The potential for high DER uptake to increase the susceptibility of the energy system to malicious cyber attacks.

Edge computing will be essential in addressing the first of these implications, and will also play a key role in mitigating the second.

Physical stability & system resilience

According to the Independent Review into the Future Security of the National Electricity Market - AKA the ‘Finkel Review’, “[S]ecurity is a measure of the power system’s ability to continue operating, even in the event of a disturbance such as the unexpected loss of generation or load.” Security is a cornerstone principle of the NEM, with strict rules in place to minimise the frequency and duration of outages for end users.

AEMO is taking action on the Finkel Review’s advice that DERs will “increase complexity of operating the power system” to potentially “undermine the effectiveness of existing mechanisms for maintaining security”, building a number of partnerships with government and energy industry bodies to establish a framework to effectively incorporate DERs into the energy system. Energy Networks Australia (ENA) and the CSIRO have also published an Electricity Network Transformation Roadmap that plans for the effective integration of DERs into the grid over the coming decades.

Energy system transformation

According to AEMO, there are four key characteristics to the energy transformation currently underway. All of them present both challenges and opportunities; none of the trends are inherently destabilising to the energy system if managed effectively.

Homogenous to diverse supply resources

• Description: Moving away from a small number of large generators (mainly fossil fuels and hydro) to a system that incorporates more small and medium-scale generators as well - mainly wind, solar and batteries.

• Challenges: A larger number of DERs will mean more energy consumption ‘disappearing’ behind consumer energy meters, potentially leading to increased energy market unpredictability, further exacerbated by the intermittency of solar PV (without batteries), the most common on-site generation type. Demand on the NEM may become more difficult for AEMO to forecast and plan for without near real-time visibility into DER sites. Perhaps more importantly, unmanaged DERs could result in localised power quality issues (e.g. overvoltage) for networks and/or solar output curtailment for solar-equipped homes and businesses.

• Edge computing can provide visibility & control of diverse DER assets via a single portal for market & network operators, while enabling smarter self-regulation for DER sites to navigate common, recurring issues. While this orchestration of ‘dumb’ but internet-connected devices may be possible via the vendor’s cloud platform API, the operator is then dependent on a consumer cloud platform and typically public internet or other communications pathway which is not under their management. (Discussed in Challenge 1: Complexity.)

Synchronous to non-synchronous generation

• Description: A transition away from high-inertia, spinning generators (e.g. coal and gas turbines) whose operation has historically been key part of frequency stabilisation on the grid, to a low-inertia system (e.g. solar PV inverters), where there is a greater need for frequency control services - which could be supplied by more diverse sources (including batteries).

• Challenges: Frequency control ancillary services (FCAS) are essential for electricity system stability as demand and generation ramp up and down. Large-scale synchronous generators have historically stabilised frequency on the grid by compensating for these changes through the FCAS market. Greater reliance on solar (both small-scale and large) on the NEM means a lower-inertia energy system, which in turn increases the scale of FCAS required to stabilise the grid.

• Edge computing will allow distributed battery storage systems (and other DER components) to be aggregated into fleets to provide FCAS to the grid.

A centralised to a decentralised system

• Description: A growing number of Australia’s generation assets are small-scale and located behind customers’ meters - a move away from ‘conventional’ large-scale generators, which are usually located some distance away from points of consumption. (This trend has significant overlap with 1) above.)

• Challenges: Complexity of power flows on the grid increases as more distributed resources come online and homes and businesses are energy producers as well as consumers; this complexity is exacerbated by DERs being ‘invisible’ to AEMO and energy companies. The biggest impacts will be for local sections of distribution networks serviced by pole transformers, where high solar penetration can increase voltage levels outside specified limits, resulting in power quality and reliability issues.

• Edge computing will provide visibility & control of DERs on the grid, allowing VPP operators to aggregate DERs to take action to manage location-specific issues or tap into market opportunities.

Passive to active consumers

• Description: The rise of affordable rooftop solar has dramatically transformed the way that Australian homes and businesses engage with energy. DER owners look for ways to maximise their system’s value by increasing energy self-consumption & independence - either through encouraging behavioural change or smart switching technology. They will also explore more dynamic ways of contributing to the grid - to their own financial advantage - as new opportunities emerge.

• Challenges: With rapidly increasing uptake of solar & battery storage, homes and businesses will still draw energy from the grid but will rely on it less then ever, resulting in reduced predictability of energy demand on the NEM, and more volatility in power flows in parts of distribution networks.

• Edge computing will help AEMO and energy companies understand how changes in consumer behaviour affect electricity demand across the NEM - both in real time and over longer-term trends - and to plan and take action accordingly. It will also be essential for DERs to deliver meaningful services into the grid in response to specific events - such as high spot market prices on the NEM or overvoltage on a local network.Cyber security in DER management

Cyber security in DER management

Australia’s energy industry is already taking steps to ensure that the energy system of the future can incorporate and utilise distributed resources to bolster its physical reliability; edge computing will play a key role in making this possible. But increasing reliance on DERs may expose the grid to an increased risk of malicious cyber attacks, which could undermine system stability, compromise user data - or both.

Background and existing frameworks

At present, neither the National Electricity Market Rules nor Law detail any minimum mandatory cyber security practices for Australia’s energy sector. Instead, the onus is on industry players to determine the adequacy of their cyber security infrastructure for themselves. While AEMO has been successfully spearheading initiatives in an effort to uplift the overall level of cyber maturity across the sector, participation is voluntary. This lack of clear legal requirements is by no means an indication that malicious cyber actions are not considered a threat to energy system security: the 2017 Finkel Review specifically identified energy system cyber security as a matter of national significance, making high level recommendations for action.

Current level of preparedness ‘inadequate’

AEMO has since implemented a number of these recommendations, including the delivery of an inaugural Cyber Security Preparedness Report (CSPR) in December 2018 under the Australian Energy Sector Cyber Security Framework (AESCSF). The report is based on responses from key industry stakeholders (including generators, transmission & distribution network operators, retailers and AEMO themselves) to a cyber security maturity self-assessment toolkit. The publicly available version of the report consists of only two pages of material (a more substantial version was delivered to the Energy Security Board), but does state that “current provisions in the national energy regulatory framework are inadequate to address cyber security risk” to Australia’s energy system.

This view is supported by the Australian Cyber Security Centre (ACSC), which has also identified the energy sector as a prime target for malicious cyber attack, accounting for nearly 20% of incidents reported to the ACSC (then CERT Australia) in the 2016 financial year. The ACSC’s 2017 Threat Report discusses the vulnerability of IoT devices as a rising security threat. Between the two years’ reports, there was a 60% increase in reported incidents (418 in 2016 vs 734 in 2017) among privately operated ‘systems of national interest’ - a possible indication of the trends to come.

Industry best practice doesn’t apply to DER management (yet)

Responding to the rise in cyber security events, the ACSC has developed the Essential Eight Maturity Model to help organisations prioritise threat mitigation strategies. The Model also prescribes and outlines cyber preparedness maturity levels for organisations (e.g. energy retailers, networks, generators, and regulators), allowing them to evaluate their alignment with ‘best practice’ mitigation strategies; ‘higher risk environments’, which may include critical energy infrastructure, will be expect to meet the highest level of preparedness. While some market participants may use cloud platforms to control critical assets (i.e. medium to large-scale generators), SCADA systems remain the norm. VPPs, meanwhile, rely on cloud platforms as their default communications/control mechanism, and as they grow in size and importance, they will - by virtue of how they are used - become de facto critical assets.

Although the Essential Eight model is relevant for addressing security on an organisational level, it is not designed to address the unique challenges associated with VPPs, which involve a range of stakeholders across the value chain. For example, operators of conventional generators generally have top-down, direct control of their assets, which they may own and which are generally highly physically secure - both for OH&S & general safety reasons. By contrast, the assets deployed in a VPP are generally owned by individuals, and may be comprised of components from a range of manufacturers, each with their own communications protocols and cloud platforms. Furthermore, they are easily physically accessible, as key DER components like inverters and batteries are generally installed outside.

One document where DER management and cyber security are mentioned together is the Criticality Assessment Tool, developed by AEMO in conjunction with the Australian Cyber Security Centre (ACSC), Critical Infrastructure Centre (CIC) and the Cyber Security Industry Working Group (CSIWG) to help raise awareness of the growing cyber threat to energy sector players. It is used to determine the ‘desired target state maturity level’ (e.g. Level 3 or Level 4 within the AESCSF). While the weight currently assigned to risks associated with VPP operation is small, it will increase as VPPs grow in number and importance.

Consumer appliances meet regulated utilities

The distributed energy transformation involves shift away from a small number of SCADA-controlled industrial generators to a large number of small-scale DERs owned by millions of different homes and businesses. The equipment used in DERs - battery systems, inverters, and DREDs - are consumer appliances. While there are basic grid safety standards that these devices are required to meet, the security of their communications are not subject to the same level of scrutiny as large, centralised generators (classed as ‘critical infrastructure’).

Risk increases with VPP scale

As a thought exercise, SwitchDin has estimated that - in a modestly optimistic uptake scenario - close to 10% of maximum operational demand on the NEM - or about 3.5GW across about 700,000 homes - could be met using battery-based VPPs by 2040. This number could easily be larger if demand response functionality is added to the equation, or if battery storage uptake increases faster than the conservative input figures used in our modelling.

That being said, energy market participation is only one aspect of how VPPs will be deployed in the future grid; they will also be relied upon to address constraints on local distribution networks, and may also provide a portion of frequency control ancillary services (FCAS). As the energy system requires constant balancing between generation and loads, a loss of control or a malfunction of DERs aggregated to perform these functions as a result of a malicious attack could cause blackouts or physically damage equipment.

Physical distribution of DERs means multiple exposure fronts

Insidiously, there is the danger of DER components (such as a cloud-connected inverter) being used as an injection point for malware, which could spread into other devices or possibly into cloud control systems. A physical access point makes hacking easier than over the internet. In terms of cyber security, large-scale generators therefore have the advantage of being physically well guarded, while virtually anyone can walk up to a solar inverter located on the side of a house and guess the WiFi password or plug in an ethernet cable.

Although a physical access point makes an attack easier, it is not a necessary condition for an attack; there are inherent risks in relying on API connections to multiple vendor cloud platforms to run a VPP.  Inverter and battery products have various countries of origin, and each has its own cloud solution. While top-down standards will help to alleviate some of the complexity associated with this diversity, there will still be risks and costs compared to VPP in which the operator has direct control of devices through single management platform (e.g. SwitchDin’s approach).

Cyber attacks in energy & IoT

Three cyber attack events relevant to distributed resources in the energy sector are:

• The 2015 attack on the Ukrainian power grid, which is considered to be the first of its kind; in this event, hackers were able to compromise the information systems of three distribution network operators, temporarily disrupting service to customers.

  • This incident demonstrates the potential vulnerability of IT-dependent energy systems to malicious interference - in this case believed to be at the hands of a foreign adversary.

• The 2016 Dyn attack in North America and Europe, which was one of the first and largest of its kind. Hackers commandeered consumer-owned, internet of things (IoT) devices to perpetrate distributed denial-of-service (DDoS) attacks on domain name services (DNS) provider Dyn, rendering a large number of services and websites unavailable to users for its duration.

  • This attack demonstrates the vulnerability of many consumer-owned ‘smart’ devices - which were not designed with security in mind - to be hijacked by malicious actors.

• The Australian government blamed a massive act of industrial espionage of ‘managed service provider’ (MSP) cloud platforms in 2018 on hackers backed by a foreign government. MSPs are companies that are contracted - typically by large firms and government - to remotely manage IT infrastructure and/or end user systems.The event has been described as one of the largest ever perpetrated, exposing information about many of the MSPs’ clients as well as the personal information of tens of thousands of individual employees.

  • This incident demonstrates the vulnerability of even high-security cloud platforms to compromise via malicious action. Although it is not clear exactly how the hackers perpetrated this attack, common methods include:

    • Discovering and exploiting technical cloud platform vulnerabilities;

    • Cracking user passwords or stealing user credentials (e.g. via a phishing scam) to gain ‘legitimate’ access into a cloud service; and

    • Through a ‘malicious insider’, who either use their own credentials to do harm or open a gateway for outsiders to ‘get in’.

Costs of a data breach

Every cyber attack is different in terms of its target, form, size, impact and costs. For many organisations, the biggest threat is exposure of personal data or industrial secrets; the federal government requires reporting of certain data breaches to the Office of the Australian Information Commissioner (OAIC) under the Notifiable Data Breaches scheme. In the case of the energy sector, arguably the gravest potential threat is a cyber attack-induced blackout or damage to critical infrastructure or supporting equipment resulting from an IT system data breach, which may have its origins in human error, a system glitch or a malicious attack.

While the OAIC’s quarterly reporting on breaches contains detailed information about the size and means of cyber incidents (as well as non-cyber data breaches), it does not detail their estimated costs. The ACSC’s 2016 Threat Report does, however, note the the elements influencing the total costs associated with dealing with a breach; these include the cost of implementing strategies for future mitigation, reputational costs, remediation costs and legal costs.

There are, however, a number of publicly available reports from private cyber security firms that provide about the financial impacts of such events. Data from CISCO’s 2018 Asia Pacific Security Capabilities Benchmark Study, for example, suggests that the costs of a breach for over half the organisations surveyed was between about $1.3 million and $6.5 million (USD$1 million and USD$5 million) - or about $3.1 million on average.

The CISCO report does not cite a sample size specifically for Australia (although it claims roughly 2,000 respondents across the Asia-Pacific region). Nevertheless, the breach cost figures are very roughly corroborated by another, more detailed report - the 2018 Cost of a Data Breach Study by IBM Security Services and the Ponemon Institute - which puts the average cost of a data breach in Australia at about $2.6 million (USD$1.99) million based on a sample set of 24 Australian organisations.

This report notes that breaches caused by malicious or criminal attacks are both the most prevalent and costliest around the world, accounting for 50% of of reported incidents with a per capita cost of $218 (USD$157). The cost of a data breach is amplified with its size, making cyber security even more crucial for large organisations. This is particularly relevant when considering VPPs, which may eventually come to incorporate assets owned by tens of thousands to millions of individual participants.

Edge computing and cyber security

At the moment, there are no central rules governing cyber security requirements for these devices as components of a VPP. Instead, security is left to consumer choice in a competitive market, where price is generally a stronger driver than security for device vendors and consumers alike. The implications of this are crucial for energy companies who operate VPPs. Similar to the Dyn IoT attack mentioned above, the largest impacts of a VPP-originated cyber attack may not be for the individuals themselves, but for the stability of the system to which they are connected - for example, a regional grid outage caused by VPP failure due to an attack-induced malfunction.

Communications advantages with edge computing

Edge computing will be a standardising force in the new distributed energy paradigm. The first security advantage that edge computing brings to DER management is simplified communications. There are four possible communications approaches that organisations may take when running a VPP - both with and without edge computing. These are detailed below.

1. No edge computing: ‘Dumb’ but connected edge devices with limited functionality

   • These days, most DERs include at least one device (usually an inverter) with internet connectivity and a link to a central cloud platform, but do not necessarily have sophisticated on-board processing power or remote control functionality. At the simplest, the end user has visibility (via the inverter’s web portal or app) into their solar system’s current and historic output, with little to no functionality or control beyond that. These devices may be incorporated into VPPs via vendors’ cloud platform APIs, but only to monitor their performance for planning purposes. From a cyber security point of view, the risk from these devices is relatively small, but so is their utility to energy companies.

2. No edge computing: Disparate devices & vendor cloud APIs managed by central software

   • More sophisticated devices can be controlled as part of a VPP via the vendor’s API. In this way, an energy company may theoretically operate a VPP using their own software to manage cloud platform APIs from multiple vendor products. However, this requires reliance on cloud platforms from the different manufacturers and public internet or other potentially vulnerable communications pathways not under management of the VPP operator - a crucial consideration for organisations responsible for or with a stake in energy supply reliability.

3. Edge computing enabled: Secure pathways with vendor lock-in

   • At the next level of sophistication, an edge computing-enabled DER may allow users to access current and historical usage data about generation, consumption, alerts and actions, plus personalised control, scheduling and VPP participation functionality. Usually, the device is a battery system or inverter that gives ‘whole of system’ monitoring and control of key system elements, including batteries and loads. Data is processed primarily on-site, with only the most important, streamlined data being sent to a central cloud platform via secure pathways (WiFi or mobile connection).

   • This approach may be a good option from a cyber security standpoint, but usually entails vendor lock-in: The VPP operator may need to use the vendor’s cloud platform to control the fleet of inverters and/or batteries from the vendor; products from other companies may be excluded altogether. While this approach may deliver a high degree of security and control, it also severely limits consumer product choice, and is not an option that helps to facilitate VPP growth, which is likely to emerge largely ‘organically’ from market-driven uptake of battery storage.

4. Edge computing enabled: Secure pathways with vendor-neutral edge controller

   • Recognising the limitations in the above approaches, SwitchDin developed a VPP platform that a) creates a common language between devices - regardless of manufacturer or communications protocol - by integrating with each one directly (instead of by API), and b) consolidates DER fleet control into a single portal. Our solution delivers the cyber security & usability advantages of managing a VPP through one platform while preserving consumer choice and flexibility as the VPP market grows.

By standardising communications across devices, edge computing can help build self-healing networks of autonomously operating DER nodes connected to a central platform via secure communications channels, able to self-quarantine to mitigate damage in the event of an outage due to system stress or malicious attack.