Both the large-scale integration of DER and the new reliance on pervasive communication and coordinated control introduce new threats and vulnerabilities that need to be mitigated:
- Communication endpoints providing measurement data must be protected against intrusion by malicious actors. These could attempt to get access to user-specific data (privacy breach), and/or attempt to interrupt data flow or transmit incomplete or otherwise manipulated data.
- The channels used to transmit, receive, relay, aggregate, or evaluate measurement data must be protected against malicious interference. Again, the threads are privacy breaches as well as missing, incomplete or manipulated data.
- Manipulated measurement data can interfere with the system operator’s state estimation processes. If the system operator assumes a system state that does not reflect the actual situation, their control signals may drive the system beyond its secure operating ranges (loading, voltage, frequency), leading to physical danger to assets, grid users and operator personnel.
- When observability of the system state is lost completely in a grid segment, the system operator is no longer able to send the appropriate control signals to maintain safe operation. DER therefore need safe fallback modes and limits within which they are allowed to operate when no communication channel is available.
- Controllability likewise requires that correct and complete control signals from the system operator reach their designated destination at the DER and are acted upon dependably. The DER must check the authenticity, integrity, and permissibility of the control input before acting on it. The channels and interfaces sending, transmitting, receiving, and evaluating control data therefore need to be protected against malicious interference just like the ones used for measurement data.
- All communication endpoints including the data routing equipment need be protected against network level attacks such as distributed denial of service (DDOS) attacks. Otherwise malicious actors may be able to effectively disable individual assets, entire grid segments, or entire asset classes by preventing the assets from sending or receiving data.