Q & A — Solarplaza Webinar: Understanding and Mitigating Cybersecurity Risks in the Solar Industry

By on February 1, 2018

To watch the webinar, click here. To download the webinar slides directly, please click here

For those who submitted questions during the webinar, thank you. We’ve compiled your questions and a few highlights from the webinar below: 

Considerations are different.

  • Local or remote operations: Residential plants are unmanned, so they need to be be networked, secured, operated and managed from afar. 
  • Regulations: NERC CIP is the dominant standard, and in the distribution grid you have primarily state interconnection rules. As the distribution grid marketplace grows and we start to see aggregated C&I or residential systems, those systems can reach the threshold where they too will be governed by NERC CIP. 

Why worry about small systems? 

  • Due to their unmanned nature, small systems need to have appropriate security and network solutions. If one of these smaller systems is cracked, there is potential for a class break, which can have the same damaging effect as taking down one or more large plants. We don’t just worry about mainframe computers – we also worry about mobile devices and PCs. The same phenomenon is at play here when we talk about networking and security distributed energy, PV or storage plants.
  • As an asset manager, you need to be thinking about a proportional response. Not all threats are the same and every response has a cost, so these are trade-offs you have to make on the regulatory front as rules differ by system size and your portfolio grows. You want to build your security and networking solutions into the foundation of your system from utility scale down to residential systems. 

Cybersecurity threats are alive and well.

  • If your solar site is connected to the internet, you are subject to internet weather, which is nefarious activity like automated tools that scan for internet-facing devices or vulnerable servers and workstations. 
  • On a huge scale, bots are out there trying to login with default passwords and credentials, and most firewalls are stopped attacks right away, but all internet-facing devices are susceptible to these types of attacks.
    • Example: One solar plant was attacked repeatedly by a bot as they try three times with default credentials and throughout the night, work their way through the alphabet. 
  • If your solar facility is connected to the electric grid, we have seen an increase in nation state actors like Russia and North Korea who are conducting targeted attacks on concentrated assets like control centers. 
  • Cybersecurity is just another form of risk management – what is the return on the investment, what is the risk we are mitigating, what is the potential impact of that risk if it’s realized, what is the appropriate level of control to implement for each risk, what is the cost of system downtime as well as the ancillary impact like reputational risk.

  • NERC CIP is meant to be the floor, not the ceiling. 

Cybersecurity is a collection of little steps 

  • You can’t go out and buy one big cybersecurity solution and stamp it on your project. By adhering to checklists and standards and carefully planning and implementing smaller elements of a system, you have the ability to create secure systems at scale and garner all the value of that connectivity. 
  • NEXTracker’s vision: Connect to and acquire data from every component and every system across our 11 GW fleet, every 5 minutes across the world and to create meaningful value with this data and connectivity 
  • Cybersecurity is not a set it and forget it function – it’s about keeping up with many small steps. There are recurring tasks that need to happen on a monthly or annually basis like system access plan audits, cyber awareness training and operational health checks. 

Top 7 questions owner/operators ask:

  1. How do you handle security with your Zigbee wireless network? 
  2. How do you protect power plants from hackers if there is remote access?
  3. What protocols do your equipment use and what protections does your equipment have? 
  4. What data do you use?
  5. What platforms are your SCADA systems and your web dashboard built on? 
  6. What’s your patch management scheme and how often do you update your systems? 
  7. Are your technicians vetted? Do they have background checks and training? What customer data policies do you have? 

 

Poll: What level of IT expertise is typically available in C&I or utility-scale projects? 

Q: What is the level of competency and preparedness in the marketplace? 

A: It’s mixed, but with the right level of education and dialog, there’s not a site yet that we haven’t been able to work through correctly the different security issues and put in place the proper protocols. Every customer is also different in terms of their requirements so at this point in our state of affairs, we need to have flexibility and understanding and offer some time and effort to get each site set up. 

Q: It’s clear to me that if a bad actor gained access to the equipment, they could shut it down, and that would result in financial harm to the asset owner, from lost production or that their own data could be taken hostage with ransomware. I’m still unclear, though, on the threat to the industry and what harm could come to the grid at large.

A: All these reliability standards like NERC CIP are really all about the reliability of the grid and that comes down to making sure we have enough generation at any given moment whether we are talking about a large plant or a slew of small plants because they can disrupt that balance. There’s going to be a low system disturbance to deal with, and if its not mitigated properly that can result in a blackout and in the worst case scenario, we have damaged transmission transformers. For the public utility commissions in California or Hawaii, they are concerned when tolerance windows are insufficient and so you have some grid imbalances and invertors start tripping off, and when the system trips off, it wrecks havoc in the system and can cause rolling blackouts. 

Q: Is there an open channel of communication so that people can discuss and understand that the priorities of the system operators or utilities themselves? 

A: The dialogue is increasing, but still limited to the owners, operators and utilities. But with education, security is starting to be rolled into contracts from the beginning through O&M contracts, etc.