Controls and Automation

NREL developing cybersecurity tool for hydropower operators

NREL developing cybersecurity tool for hydropower operators

A new tool being developed by the National Renewable Energy Laboratory (NREL) and Argonne National Laboratory (ANL), the Cybersecurity Value-at-Risk Framework (CVF), provides hydropower operators complete and customized assessments of their cybersecurity risks and demonstrates how different investments will help improve overall resilience.

The tool was developed with support from the U.S. Department of Energy Water Power Technologies Office.

“This is a much-needed framework for future security and resilience,” said Anuj Sanghvi, an NREL cybersecurity researcher who is helping develop the CVF. “Operators are eager to understand the right resilience investments for their systems, as well as the actual risks themselves. CVF can provide deep insight around how system-specific investments relate to cybersecurity and resilience.”

Hydropower, accounting for 37% of U.S. utility-scale renewable electricity, is challenged by diverse infrastructure and legacy devices that predate modern cybersecurity practices. New solutions cannot simply be bolted on to the technology, meaning there are not catch-all solutions for security available to the hydro industry. Instead, custom assessments can help reveal specific threats and risk probabilities and reveal how those threats translate into new investments.

As an online tool, the CVF guides users through a detailed analysis of the plant’s operations. Users answer a series of questions, and their responses are compared against multidimensional criteria for environmental, operational and economic impact. Results and data from the CVF include specific risk probabilities and scores that are indicative of financial value and that require cybersecurity improvements to withstand future threats.

The CVF leverages lessons from the NREL-developed Distributed Energy Resource Cybersecurity Framework (DER-CF), a tool originating from the federal government to secure its facilities but with wide applicability to sites of many sizes and functions. The CVF borrows the DER-CF’s standardized cyber evaluation method and extends the scope to perform risk, impact and likelihood scoring all within the valuation platform, angling the assessment to hydro-specific applications. Both frameworks follow National Institute of Standards and Technology guidance for criteria like data handling, risk scores and environmental footprint, which also aligns facilities with relevant federal regulation.

The CVF is being validated on an initial case study at Delta Montrose Electric Association’s hydropower facilities. Other utilities and federal agencies are also implementing the CVF and advising on its design. As feedback comes in, NREL and ANL will continue to develop the framework for web release in 2023.

NREL is a national laboratory of the DOE, Office of Energy Efficiency and Renewable Energy, operated by the Alliance for Sustainable Energy LLC.