Over the past few months we’ve been participating in SunSpec’s cybersecurity workgroups. Today we’re announcing our decision to join the SunSpec Alliance as a contributing member and support its pioneering work in cybersecurity regulations. Our participation in SunSpec standards is a significant time commitment, but worthwhile. On the night of December 23, 2015 hackers shut down power for 250,000 Ukrainians for 3 hours. This was an attack on centralized power stations, but researchers have shown that similar disruptions can result from a large scale network attack on smaller distributed energy sources. As California and the rest of the world derives a greater percentage of power from distributed generators such as residential solar panels, it’s imperative to ensure this power source cannot be disrupted by malicious actors.
We truly believe that the Public Utility Commission and SunSpec’s efforts to mandate cybersecurity is the way forward, for the power grid and for other industries. No one wants to be the next Equifax or have their devices comprise the next botnet, but when the choice comes to investing in product features vs cybersecurity, the latter often takes a back seat and security is put off to the next release. When security does get implemented it is often done poorly (more on this in a future post). Regulations, when designed well, solve both these issues by mandating proven cybersecurity mechanisms.
The downside to regulations are two-fold. First, they can be designed poorly. For example, Rule 21 Phase 2 in its current form does not mandate communication security between the DER (distributed energy resource) device and the cloud. Security is like a chain- it’s only as strong as its weakest link- and in this case there is a missing link. Fortunately this “hole” has not gone unnoticed and SunSpec, along with the utilities and TPOs, are filling it as we speak. Poor design can also apply to certification programs. Test procedures must ensure all requirements are met and at the same time allow flexibility with different implementations.
The other risk to regulation is overkill. If a requirement costs too much to implement it will have the same effect as a tariff and slow down the growth of DERs. The key is to require the correct dosage of cybersecurity to match the value of the asset being protected. For example, megawatt facilities absolutely need protection from both network attacks and physical access. However, small residential storage systems may only need to protect against network attacks since there is limited payoff for hackers breaking into the home.
Our participation in SunSpec is advantageous to customers like you. February 2019, the deadline for Rule 21 Phase 2 compliance, is less than a product design cycle away and unfortunately some implementation details are still not set. For example there is currently no signing certificate authority, let alone root authority, for the public key infrastructure (PKI). The earlier we hear about new details the quicker we can implement them and get compliance solutions into your hands for integration. Our “one line of code” solution can be implemented in just a few hours but obviously you shouldn’t wait until the last few hours to integrate.
Although we don’t have the same experience in energy as our customers, joining SunSpec feels like coming home given our experience with standards. My first assignment (and first job) at Apple in 1993 was to work with HP and IBM to create the first and only infrared communications standard. Our most recent standards success was creating MirrorLink, which not coincidentally implements a military-grade PKI security infrastructure very similar to Rule 21’s and already has been validated in hundreds of millions of cars and phones. With SunSpec, we’re appreciative of the opportunity to continue working with standards and be on the bleeding edge of cybersecurity regulations.
In case you haven’t noticed, we’re standards junkies- use it to your advantage. Reach out to us anytime to get the scoop on Rule 21. We’re looking forward to hearing from you.