NREL Project Sets Stage for Quantifying Future Energy System Cyber Risks

Cyber100 Compass Developers Seek Utility Feedback on Proof-of-Concept Application

July 25, 2024 | By Mariah Cox | Contact media relations

When selecting coverage for homeowners and car insurance, many consumers base their choice on how much they are willing to pay out of pocket in the event of a disaster or accident. Researchers at the National Renewable Energy Laboratory (NREL) recently explored a similar model of risk evaluation to energy system upgrades in a project called Cyber100 Compass.

Test the Application

NREL researchers are seeking feedback on the Cyber100 Compass proof-of-concept application. Utilities interested in helping NREL advance Cyber100 Compass toward a user-ready application are invited to fill out this form.

The project produced a proof-of-concept application that shows how future iterations of Cyber100 Compass could support utility system planners. The proof-of-concept application enables users to input information about their current and desired energy system architectures and view quantitative results to understand how certain upgrades could improve or impair their cybersecurity posture and influence the monetary impact of a cyberattack.

While the Cyber100 Compass application is still a proof of concept and not yet ready for industry use, it is an important first step toward developing guidance for system planners about potential cybersecurity risks as they integrate more renewable energy into their generation mix.

A Rapidly Evolving Grid Landscape

Many states and localities across the United States have ambitious goals of achieving 100% clean energy in the next five to 25 years. The transition to renewable energy systems will require a significant reengineering of the grid to connect distributed generation, such as wind and solar, to existing energy infrastructure.

Compared to traditional electric grids, which are powered by relatively few generation facilities, the modern grid is increasingly reliant on many decentralized generation sources. This distributed landscape often means that grids are powered by multiple operating entities—like owners of large-scale solar and wind facilities and homeowners with rooftop solar—instead of a single utility.

This shift, coupled with the complex, data-driven communications needed to manage millions of interconnected and distributed devices, is changing the topology of the grid.

At the same time, the threat landscape is rapidly evolving. Cyberattacks that cause power outages, damage to equipment, and disruption to critical processes are becoming less rare.

As investors, utilities, and customers prepare for clean energy transitions, there is a need to understand how restructuring the grid will change the attack surface and the accompanying cybersecurity risks.

“Right now, there’s a lot of uncertainty about how risky the transition is,” said Maurice Martin, senior cybersecurity researcher at NREL. “It’s hard for utilities to know what kind of risk level they’re exposing themselves to, and that uncertainty can have a cooling effect.”

Future versions of a matured Cyber100 Compass application could help system planners, operators, and other stakeholders improve their understanding of these risks to make informed, data-backed decisions as they decarbonize their grids.

Quantifying Future Energy System Cybersecurity Risks

Cyber100 Compass explaining review plans for expected transition to renewables; consider the quantifiable impacts of cyber events; evaluate future grid architecture conditions; execute Cyber100 evaluation; decision point: is the risk acceptable?; and proceed with upgrade. — This chart illustrates the Cyber100 Compass decision flow.

Quantifying the cybersecurity risks for future energy systems is currently an understudied and increasingly critical area of risk management.

The Cyber100 Compass proof-of-concept application offers a promising and novel approach for assessing and quantifying the impacts of cyberattacks on future power systems with high deployments of renewables.

Cyber100 Compass aggregates data inputs from subject matter experts in power systems, cybersecurity, and risk management on 1) the baseline probabilities for different cyber-physical events, such as power outages and damage to utility equipment, 2) the probability that an event will be low, moderate, or high impact, and 3) the degree to which various system conditions might change the likelihood of cyber-physical events occurring.

Users of the application then provide data about their organization’s tolerance for risk, the value they place on avoiding the consequences of different cyber events, and the conditions they expect to exist on their systems in the future, such as the percentage share of renewable energy generation.

The application takes data from subject matter experts, combines it with data from the user, and performs a probabilistic risk assessment to arrive at a monetary quantification of risk.

“The whole concept behind Cyber100 Compass is about mining the knowledge of these subject matter experts and capturing it in a form that is reusable across many different utilities of various sizes, loads, and generation mixes,” Martin said. “Cyber100 Compass provides a monetary expression of risk to help utility decision makers feel confident in their planned upgrades.”

One output that users receive from the proof-of-concept application is a risk tolerance curve. The graph visualizes a utility’s willingness to accept certain levels of risk based on the financial losses that could occur from a cyberattack. The risk tolerance curve can help users determine whether their system development plans are on track or are leading them toward unacceptable levels of risk.

Risk tolerance curve vs recommended expectation of loss graph — This sample risk tolerance curve shows that an organization is willing to accept an approximately 12% probability of an annual loss of $1,000,000 or more. If the recommended expectation of loss (orange line) exceeds risk tolerance (blue line), the utility might consider adjusting its clean energy plans or applying additional cybersecurity mitigations.

“The application presents numerical results in several formats,” Martin said. “Among other types of feedback, we hope to hear which formats are most useful for users.”

Seeking Feedback: Utilities Invited

Although the proof-of-concept application is not yet ready for industry use, the Cyber100 Compass development team is making it available to utilities interested in piloting and providing feedback on it. The team hopes to continue iterating on the application to enhance its benefit to the industry and eventually see it integrated into utility system planning processes.

Utilities interested in helping NREL improve the proof-of-concept application are invited to fill out this form to request access. Upon filling out the form, utilities can download the application and provide feedback on its format, the usability of the application interface, and the format of the results.

Other organizations interested in helping advance Cyber100 Compass, such as academic and research institutions and nonprofit service organizations, are also invited to engage the development team by contacting Maurice Martin.

Development of the Cyber100 Compass proof-of-concept application and the project final report received sponsorship and input from the U.S. Department of Energy Office of Electricity and Office of Cybersecurity, Energy Security, and Emergency Response. To learn more, read the technical report.