Publications

The rapid expansion of photovoltaic (PV) systems, particularly inverters, has introduced new cybersecurity challenges that threaten both local operations as well as the broader electrical grid’s stability. PV inverters, integrated into critical energy infrastructure are potential targets for cyber attacks due to vulnerabilities in firmware, remote access systems, and communication protocols. The Coordinated Vulnerability Disclosure (CVD) process, as defined by the Cybersecurity and Infrastructure Security Agency (CISA), provides a framework for identifying, reporting, and addressing these vulnerabilities in a transparent and collaborative manner. This report outlines the CVD process as it applies to PV systems, detailing the roles of key stakeholders, such as manufacturers, grid operators, and security researchers. The report also highlights specific challenges in managing vulnerabilities for new and legacy PV systems, which includes those introduced by insecure communications and third-party supply chain components. By adhering to the CVD process, the PV industry can mitigate cybersecurity risks, ensure regulatory compliance, and maintain consumer trust, while safeguarding the operational resilience of the energy grid. Ultimately, the effective coordination of vulnerability management is crucial for securing the future of PV systems within the critical electric grid infrastructure landscape.

With the increasing integration of Distributed Energy Resources (DER) into the electric grid, maintaining grid reliability and resilience requires that these devices remain secure. This paper discusses a cybersecurity vulnerability assessment methodology that incorporates best practices from Sandia National Laboratories, SANS Institute, OWASP Foundation, and other web and Internet of Things (IoT) penetration testing (“pen testing”) programs, courses, and frameworks for assessing the security posture of devices. The methodology involves five sequential steps: (1) Collect Public Information, (2) Extract Hardware Details, (3) Inventory Software Components, (4) Identify Vulnerabilities, and (5) Test Vulnerabilities. Each step uncovers potential weaknesses in both hardware and software components of DER devices, considering adversary tactics, techniques, and procedures (TTPs), and potential attack vectors along the way. The results from the execution of this method on multiple residential- and small commercial-scale photovoltaic (PV) inverters reveled hardware and software vulnerabilities, which highlight the benefit of taking a methodical approach to discover vulnerabilities. While the specific vulnerability details are not shared here, a generalized overview of findings underscore the importance of robust security assessments for DER devices. Adoption of an assessment framework of this kind will identify and mitigate cybersecurity threats and bolster the resilience of DER-integrated electric grids.