#1Funded by: SOLAR ENERGY TECHNOLOGIES OFFICE U.S. Department of Energy ONREL Transforming ENERGY DER Digital Supply Chain Gap Analysis Ryan Cryar, Cybersecurity Researcher Securing Solar for the Grid Workshop September 14th, 2023 , Principal Investigator: Danish Saleem Other Contributors: Ryan Cryar, Jennifer Guerra, Chelsea Quilling#2Introduction Presidential Executive Order 14017 for supply chain cybersecurity This project supported research for supply chain cybersecurity by: Performing gap analysis of current cybersecurity landscape of distributed energy resources (DERS) Creating recommendations for the digital supply chain cybersecurity of solar photovoltaics Engaging with academia, national laboratories, and industry to address and understand digital supply chain challenges. Identified future opportunities to engage with industry members through different cybersecurity working groups. Funded by: SOLAR ENERGY TECHNOLOGIES OFFICE U.S. Department of Energy#3Past Work Gap Analysis of Supply Chain Cybersecurity for Distributed Energy Resources: . Addresses the landscape of the digital supply chain Drafts the ideal state of the digital supply chain Provides recommendations to bridge gaps between the current and ideal. Challenges stem from areas such as open source, standards, and where to apply best practices. ONREL Funded by: SOLAR ENERGY TECHNOLOGIES OFFICE U.S. Department of Energy Gap Analysis of Supply Chain Cybersecurity for Distributed Energy Resources Ryan Cryar, Danish Saleem, Jordan Peterson, and William Hupp National Renewable Energy Laboratory NREL is a national laboratory of the U.S. Department of Energy Office of Energy Efficiency & Renewable Energy Operated by the Alliance for Sustainable Energy, LLC This report is available at no cost from the National Renewable Energy Laboratory (NREL) at www.nrel.gov/publications Contract No. DE-AC36-08G028308 Technical Report NREL/TP-5R00-84752 February 2023#4Addressing Recommendations Supply Chain Cybersecurity Recommendations for Solar Photovoltaics • Follows prior work • Addresses practices found and NREL Funded by: SOLAR ENERGY TECHNOLOGIES OFFICE U.S. Department of Energy adapted from NERC, NIST, and NATF Provides down-selected recommendations that that could apply to the digital supply chain of solar photovoltaics Focuses on short, clear language that can be testable and quantified Includes recommendations reviewed by academia and national laboratories Publication released on NREL website Supply Chain Cybersecurity Recommendations for Solar Photovoltaics Ryan Cryar, Vikash Rivers, Danish Saleem, Chelsea Quilling, Jennifer Guerra National Renewable Energy Laboratory NREL is a national laboratory of the U.S. Department of Energy Office of Energy Efficiency & Renewable Energy Operated by the Alliance for Sustainable Energy, LLC This report is available at no cost from the National Renewable Energy Laboratory (NREL) at www.nrel.gov/publications. Contract No. DE-AC36-08GO28308 Technical Report NREL/TPX-2000K August 2023#5Example Recommendations Funded by: SOLAR ENERGY TECHNOLOGIES OFFICE U.S. Department of Energy Recommendation 30: Through a secure portal, vendors should provide customers with a vulnerability disclosure report, including the analysis and findings describing the impact that a reported vulnerability has on a product as well as plans to address the vulnerabilities. The vulnerability disclosure report should be signed with a trusted, verifiable, private key that includes a time stamp of the signature. (Adapted from NIST SP 800-161r1 RA-5; NATF Energy Sector Supply Chain Risk Questionnaire RISK-08) Recommendation 31: Vendors should establish a separate notification channel for customers in case a vulnerability arises that is not included in the vulnerability disclosure report. (Adapted from NIST SP 800-161r1 RA-5; NATF Energy Sector Supply Chain Risk Questionnaire VULN-06, VULN-07)#6Outcomes of the Reports Interest in forming a subgroup on supply chain cybersecurity within SunSpec/Sandia Cybersecurity Working Group Engage with industry members to develop more effective recommendations. Provide immediate value to industry through recommendations that are testable. Gaining visibility into the challenges of the digital supply chain of renewable energy resources. Utility Vendor Cloud Services Aggregator/DER Vendor Communications to DER Utility Communications to DER via IEEE 1547-2018 Interface DER Type 2 ESS Gateway SunSpec Modbus/RTU, PLC, 444 Proprietary Protocol " Third Party Aggregator Utility IEEE 2030.5 (PKI 1) DER Type 1 PV Utility Aggregator IEEE 2030.5 (PKI) Proprietary Communications Firmware Patches Through Proprietary Communications Gateway SunSpec Modbus TCP or RTU (serial/RS485) Gateway SunSpec Modbus TCP or RTU (serial/RS485) DER Type 1 PV DER Type 2 ESS DER Vendor Funded by: SOLAR ENERGY TECHNOLOGIES OFFICE U.S. Department of Energy Vendor Cloud Services Proprietary (PKI 2 & 3) (c) Gateway Proprietary (PKI 2&3) Grid Services Provided by Third-Party (e.g. Via OpenADR) Third Party Aggregator DER Type 2 ESS Proprietary Communications Wired Communications. Wireless Communications ESS Energy Storage Systems PV Photovoltaic System DER Distributed Energy Resource PKI Public Key Infrastructure OpenADR PLC Open Automated Demand Response Programmable Logic Controller Graphic by NREL#7Future Work By leveraging the SunSpec/Sandia cybersecurity working group to create a subgroup on supply chain cybersecurity, further adapt the recommendations. Through this subgroup, to the extent possible, harmonize with other groups, such as SEPA CSWG, CPUC Smart Inverter Working Group, and UL 2941 Technical Committee. With this engagement, industry members see immediate value by actively developing recommendations that can be tailored to their own practices. . SUNSPEC ALLIANCE Funded by: SOLAR ENERGY TECHNOLOGIES OFFICE U.S. Department of Energy SunSpec/Sandia DER Cybersecurity Workgroup Sandia National Laboratories DER Cybersecurity Certification Procedure Defined standardized procedure for DER vulnerability assessments. Leads: Danish Saleem (NREL) and Cedric Carter (MITRE) Publication: "Certification Procedures for Data and Communications Security of Distributed Energy Resources" Future work: Expected development within UL 2900-2-4 STP Data-in-Flight Requirements Complete KEMA Complete Encryption, authentication, and key management requirements. Lead: Ifeoma Onunkwo (Sandia) Publication: "Recommendations for Trust and Encryption in DER Interoperability Standards", another covering Data-in-Transit Requirements document (forthcoming). Future work: IEEE 1547.3 update, IEEE 2030.5 revisions. Secure Network Architecture • Created DER reference architecture best practice. Lead: Candace Suh-Lee (EPRI) Publication: "EPRI Security Architecture for the Distributed Energy Resources Integration Network: Risk-based Approach for Network Design" Future work: Risk-based approach adopted in IEEE 1547.3 Access Control Complete Wrapping Up . DER Role-Based Access Control recommendations. Lead: Jay Johnson (Sandia) Topics: Access control taxonomy and security models Planned Publication: "Recommendations for Distributed Energy Resource Access Controls" Future work: Add recommendations to IEEE 1547.3 Guide Starting! Utility/Aggregator Auditing Procedure Q2 FY21 • Creating recommended auditing practices for DER networks. Planned for March-April 2021. Lead: TBD Topics: Step-by-step auditing procedure for internal or external compliance review. Recommend data for attack forensics. Patching Requirements ⚫ Establishing patching guidelines for DER devices and DER networking equipment. Starting August-Sept 2020. Lead: TBD Topics: Patching update rates, maintenance guidelines, etc.#8Industry Engagement Engagement with industry is prioritized. Several working groups are being leveraged to provide balanced feedback among multiple types of stakeholders and participants. Additional engagement sources are actively being sought. Funded by: SOLAR ENERGY TECHNOLOGIES OFFICE U.S. Department of Energy Photo by Dennis Schroeder, NREL 22168#9Thank You! Let's work together! [email protected] NREL/PR-5R00-87282 SOLAR ENERGY TECHNOLOGIES OFFICE U.S. Department of Energy This work was authored by the National Renewable Energy Laboratory, operated by Alliance for Sustainable Energy, LLC, for the U.S. Department of Energy (DOE) under Contract No. DE-AC36-08G028308. Funding provided by U.S. Department of Energy Office of Energy Efficiency and Renewable Energy Solar Energy Technologies Office. The views expressed in the article do not necessarily represent the views of the DOE or the U.S. Government. The U.S. Government retains and the publisher, by accepting the article for publication, acknowledges that the U.S. Government retains a nonexclusive, paid-up, irrevocable, worldwide license to publish or reproduce the published form of this work, or allow others to do so, for U.S. Government purposes. NREL Transforming ENERGY