The National Institute of Standards and Technology has identified a cybersecurity risk for smart inverters and is developing guidelines to prevent cyber attacks.
Cybersecurity guidelines for smart inverters used in small-scale solar deployments are available in draft form from the National Institute of Standards and Technology (NIST).
NIST notes that when smart inverters are “configured to behave in a grid-friendly, supportive manner,” and help the local electric utility “address anomalies” on the electrical grid.
But an improperly configured inverter, NIST says, “can respond in inappropriate ways that worsen anomalies,” and “a large number of misconfigured smart inverters could negatively impact a utility’s efforts to address anomalies.”
That raises the specter of a cyberattack, as NIST states that “if a malicious actor were able to intentionally misconfigure many smart inverters, network stability and performance could be negatively affected.”
The design guidelines are advising manufacturers to include cybersecurity capabilities in their smart inverters. The guidelines are based on NIST’s Basic Guidelines for Cybersecurity Capabilities, which NIST has made more specific to smart inverters.
How smart inverters communicate is a key focus of the draft guidelines, said Midhat Mafazy, regulatory program engineer at the Interstate Renewable Energy Council.
NIST design guidelines note that smart inverters can communicate with the electric utility, third-party operators, the device manufacturer, or other devices in the local area. But “this communications capability also presents an opportunity for cyberattacks,” NIST said.
NIST provided several examples of ways to protect smart inverter communications from “malicious actors” while still allowing necessary communications.
NIST also issued a draft recommendation to disable unused features and capabilities that are not used in a particular device’s deployment, giving three examples: remote access protocols and interfaces, wireless communications, and “guest” access to features or possibilities of smart inverters.
Mafazy said the draft guidelines do not explicitly state how the autonomous functions of smart inverters should be handled. Those autonomic functions can help regulate tension on a distribution circuit, increasing hosting capacity. Mafazy expressed hope that NIST’s final guidelines could clarify how to handle these autonomic functions.
On a related issue, Mafazy pointed out the operational difficulties and costs of changing the settings of smart inverters on an already deployed system, if changes are warranted and initiated by the utility. “This underlines the importance of activating and enabling voltage control functions as default during the first deployment,” he said.
NIST said the recommended cybersecurity capabilities in smart inverters will enable smart inverter owners and installers to implement seven categories of cybersecurity guidelines.
NIST tested five smart inverters to determine whether their capabilities would enable owners and installers to meet the draft guidelines. For example, NIST found that with regard to the ability to disable unused features, only two of the five smart inverters tested had that capability.
Threat level
In a smart inverter vulnerability study NIST conducted in 2022, the agency identified 15 vulnerabilities to cyber attacks in 2021, and another 30 going back further in time. The study used data from NIST’s National Vulnerability Database. “This research identified real cybersecurity issues that the guidelines should address,” NIST said.
The NIST design guidelines are titled “Cybersecurity for Smart Inverters: Guidelines for Residential and Light Commercial Solar Energy Systems.” The agency has requested comments on the draft guidelines and is preparing a final version of the guidelines.
This content is copyrighted and may not be reused. If you would like to collaborate with us and reuse some of our content, please contact: editors@pv-magazine.com.