Risk Assessment at the Edge: Applying NERC CIP to Aggregated Grid-Edge Resources

Abstract Distributed energy resources (DERs) promise to deliver benefits for both utilities and consumers by dynamically interoperating utility systems with customer-owned grid-edge technologies. These small energy-consuming devices are increasingly being aggregated for participation in grid markets, planning and operations. A cyber attack penetrating the control system of aggregated DERs could negatively impact the operation of the grid. In the worst case, the power grid could be severely damaged and physical safety compromised. In this paper we analyze cybersecurity risks associated with the aggregation of DERs and develop an approach to mitigating that risk. The approaches to both cyber risk analysis and mitigation were developed during a recent research project that serves as an example of how the approaches could be applied. However, both the risk analysis and mitigation are applicable to the broader domain of all DERs. An important conclusion is that the successful cyber compromise of aggregated DERs could have a significant impact on the bulk power system. This is the case even if each individual DER falls below the threshold of compliance with bulk-grid cybersecurity standards. For this reason, we specifically investigate how National Electricity Reliability Corporation’s Critical Infrastructure Protection requirements could flow down to interactions between DER aggregators and the DERs themselves in order to protect the grid from these bulk-scale cyber attack impacts.