Cybersecurity guidelines for smart inverters used in small-scale solar deployments are available in draft form from the National Institute of Standards and Technology (NIST).
NIST observes that when smart inverters are “configured to behave in a grid-friendly, supportive manner,” they assist the local electric utility in “addressing anomalies” on the electric grid.
But an improperly configured inverter, NIST says, “can respond in inappropriate ways that exacerbate anomalies,” and “a large number of misconfigured smart inverters could have a negative impact on a utility’s efforts to address anomalies.”
That raises the specter of a cyberattack, as NIST states that “if a malicious actor were able to deliberately misconfigure many smart inverters, grid stability and performance could be impacted.”
The draft guidelines recommend that manufacturers incorporate cybersecurity capabilities into their smart inverters. The guidelines are based on NIST’s baseline “internet of things” cybersecurity capabilities guidance, which NIST has made more specific to smart inverters.
How smart inverters communicate is a key focus of the draft guidelines, said Midhat Mafazy, regulatory program engineer with the Interstate Renewable Energy Council.
The NIST draft guidelines note that smart inverters may communicate with the electric utility, third-party operators, the device manufacturer, or other devices in the local environment. Yet “this communication capability also provides an opportunity for cyberattack,” NIST said.
NIST gave several examples of ways to protect smart inverter communications from “malicious actors” while still allowing needed communications.
NIST also made a draft recommendation to disable unused features and capabilities that are not used in a particular device deployment, giving three examples: remote access protocols and interfaces, wireless communications, and “guest” access to smart inverter features or capabilities.
Mafazy said the draft guidelines do not explicitly state how smart inverters’ autonomous functions should be handled. Those autonomous functions can help regulate voltage on a distribution circuit, thereby boosting hosting capacity. Mafazy expressed hope that NIST’s final guidelines could clarify how those autonomous functions should be handled.
On a related issue, Mafazy pointed to the operational difficulty and cost of making changes to smart inverter settings on an already-deployed system, if changes are warranted and initiated by the utility. “This underscores the importance of activating and enabling voltage regulation functions as default during initial deployment,” he said.
NIST said that its recommended cybersecurity capabilities in smart inverters will enable smart inverter owners and installers to implement seven categories of cybersecurity guidelines.
NIST tested five smart inverters to determine whether their capabilities would enable owners and installers to meet the draft guidelines. NIST found, for example, that regarding the ability to disable unused features, only two of the five smart inverters tested had that ability.
Threat level
In a smart inverter vulnerability survey that NIST conducted in 2022, the agency identified 15 vulnerabilities to cyberattacks in 2021, and 30 more going further back in time. The survey used data from NIST’s National Vulnerability Database. “This research identified real cybersecurity concerns that the guidelines should address,” NIST stated.
The NIST draft guidelines are titled “Cybersecurity for smart inverters: Guidelines for residential and light commercial solar energy systems.” The agency has solicited comments on the draft guidelines and is preparing a final version of the guidelines.
This content is protected by copyright and may not be reused. If you want to cooperate with us and would like to reuse some of our content, please contact: editors@pv-magazine.com.
By submitting this form you agree to pv magazine using your data for the purposes of publishing your comment.
Your personal data will only be disclosed or otherwise transmitted to third parties for the purposes of spam filtering or if this is necessary for technical maintenance of the website. Any other transfer to third parties will not take place unless this is justified on the basis of applicable data protection regulations or if pv magazine is legally obliged to do so.
You may revoke this consent at any time with effect for the future, in which case your personal data will be deleted immediately. Otherwise, your data will be deleted if pv magazine has processed your request or the purpose of data storage is fulfilled.
Further information on data privacy can be found in our Data Protection Policy.