Cybersecurity is an important topic in nearly every industry, especially as it relates to the advent of millions of Internet of Things (IoT) devices. In the energy sector alone, there has been exponential growth in the volume and diversity of grid-edge energy management devices — with more than 15 million smart thermostats, 1.5 million residential solar installations, and more than 600,000 electric vehicles coming online in the last few years. This trend offers a great opportunity for utilities willing to take advantage of it.
The growth of these devices has also seen an accompanying rise of cybersecurity threats — including device security breaches in everything from webcams to baby monitors. Without proper security measures in place, such as password protection schemes and encrypted network communications, IoT devices can contain vulnerabilities and be susceptible to threats, such as malware and distributed denial of service (DDoS) attack.
In order to connect and coordinate within this growing ecosystem of grid-valuable devices, utilities will require a software solution that securely manages the enormous complexity of decision-making across distributed energy resources (DERs), such as electric vehicle charging equipment, smart thermostats, battery energy storage, smart inverters, etc. The combination of utility- and consumer-owned DERs — nearly all of which will be network-connected — will create a new level of complexity for cybersecurity practices, policies, and management.
To address these challenges, the Advanced Energy Economy (AEE) Institute recently published the report, “Cybersecurity in a Distributed Energy Future.” The paper highlights existing cybersecurity threats to the emerging smart grid, and more importantly, protective measures and precautionary steps being taken by companies like EnergyHub to protect both consumer data and information, as well as utility systems and operations.
As a contributing author to the paper, we emphasized the best practices we followed when developing our Mercury DERMS platform to ensure end-to-end cybersecurity — from the device to the utility.
Cybersecurity is front-and-center in the Mercury DERMS. In order to protect advanced grids from a cyberattack, EnergyHub has a number of preventative measures in place, both in our DERMS and in its connections to devices and DERs. EnergyHub takes a holistic approach to cybersecurity, working closely with device partners and utilities to ensure the security and integrity of devices enrolled in utility programs. EnergyHub requires partners to provide a secure customer experience and authentication protocols with endpoint devices, along with secure and encrypted communications with the partners’ servers. When interacting with utility systems, such as Customer Information Systems (CIS) and Meter Data Management Systems (MDMS), EnergyHub also requires secure and encrypted information transfer and secure endpoints for cloud-based data storage — which is especially important when handling Personally Identifiable Information (PII).
Mercury employs strict password protection policies, utilizes role-based security in accessing application functions and data access within the software platform, and logs all events for reporting purposes. Mercury’s software architecture is designed to protect database servers and interactions by using multiple layers of security firewalls and also leverages applicable security standards and practices used by Amazon Web Services (AWS). Furthermore, Mercury undergoes annual penetration and security assessments by Plynt, a leading security testing organization. The combination of these policies and measures results in a secure, reliable end-to-end solution for utilities.
The “Cybersecurity in a Distributed Energy Future” paper includes more than 20 contributors from across the smart grid industry — including leading hardware vendors, software system providers, and consulting experts. To learn more about best policies and practices for securing the grid edge, you can download the report at the AEE Institute here.