Electrical standards provider UL Solutions has released a new cybersecurity protocol, UL 2941, which covers distributed energy and inverter-based resources. Developed with the U.S. Department of Energy’s National Renewable Energy Laboratory (NREL), UL 2941 provides testable requirements for energy storage and generation technologies on the distribution grid. The new cybersecurity protocol provides a framework for photovoltaic inverters, electric vehicle chargers, wind turbines, fuel cells and other distributed resources operating within a grid interconnection.
The new UL requirement prioritizes cybersecurity standards for power systems that deal with high penetration inverter-based resources, including those interfacing with bulk power systems for periods of instantaneous high wind, solar and hybrid/storage generation.
UL 2941 will also promote cybersecurity measures across all new inverter-based resources (IBR) and distributed energy resource (DER) systems.
“The publication of UL 2941 is a milestone toward securing the distributed generation industry,” said Danish Saleem, senior energy systems cybersecurity engineer, NREL. “Equipment manufacturers, asset owners, regulators and government officials now have an established baseline for strengthening the security of their devices such as network-connected IBRs, monitoring devices, and parts of IBR systems that provide software-based and firmware-based controls.”
NREL is receiving additional support from the DOE’s Solar Energy Technologies Office to support the new standard’s development. With SETO, NREL will receive formal industry feedback on the listed requirements, develop test procedures, and perform beta testing of devices under the UL 2941 standard, Saleem said.
Products complying with UL 2941 will be eligible for UL certification. The testing is intended to be an add-on service for inverters, complementing UL 1741, the current standard for power inverters, converters, controllers and interconnection system equipment for distributed energy resources.
Following an increase in ransomware attacks in the U.S. energy markets in recent years and the need for new distributed energy systems following Russia’s 2022 invasion of Ukraine, there has been an in flux of new DER resources tied to the grid in the U.S. and Europe.
A 2022 report by SETO called “Securing Solar for the Grid” called on national laboratories and industry participants to propose cybersecurity requirements for distributed energy resources. A DOE report on the topic calls for the DER market to engage in such discussions.
As deployment of rooftop solar, batteries and other DERs increases, the potential damage from a cyberattack on DERs also increases, according to the report. DERs now total 90 GW of capacity in the U.S., and are expected to grow to 380 GW by 2025, the DOE said.
In two potential scenarios of a cyber attack, an attacker could use ransomware to take control of multiple DERs, or could use a supply chain attack on an aggregator, or on another party that sends directions or updates to DERs, to influence the operation of the DERs, the DOE report noted.
In two other scenarios, a “botnet” could infect enough DERs with malware to enable the attacker to create unanticipated power swings on the grid, or a “worm” could spread from one DER to a higher-level distributed energy resource management (DERM) system, which could then send a false command to many DERs and instigate power instability.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.