Technology and Equipment

New NREL framework helps hydro plant owners assess cybersecurity risks

Today, most power generation facilities, including hydropower plants, are connected via the internet. While NREL says interconnectedness improves operational efficiency and keeps costs low, it also increases the risk of cyberattacks.

New NREL framework helps hydro plant owners assess cybersecurity risks
Washington state’s Lake Merwin Dam (Credit: Anuj Sanghvi, NREL)

The National Renewable Energy Laboratory (NREL) has released version 2.0 of the Cybersecurity Value-at-Risk Framework (CVF), a free, publicly available tool that is meant to help power plant owners and operators assess their cybersecurity risks and make sound cybersecurity investment decisions.

Today, most power generation facilities, including hydropower plants, are connected via the internet. While NREL says interconnectedness improves operational efficiency and keeps costs low, it also increases the risk of cyberattacks. In the last 20 years, over 40 cyberattacks have targeted hydropower facilities, per NREL.

“Older hydropower facilities were built long before the digital era, so it follows that they were not designed with modern cybersecurity in mind,” said NREL cybersecurity researcher and network security engineer Anuj Sanghvi. “Now that we’re in the digital era, adversaries that use data as their main source of leverage are thinking, ‘How can we hold energy generation hostage?’”

The CVF offers managers of hydropower facilities a self-guided, automated way to assess their plant’s cybersecurity risks and consider upgrade investments. The tool provides risk probabilities and scores, which NREL said highlights the financial value of cybersecurity improvements needed to handle future threats. Whereas the original CVF allowed users to assess only one facility per organization, CVF 2.0 allows users to assess multiple facilities in an organization.

“Any given organization has multiple projects and multiple facilities,” Sanghvi said. “With these updates, users can conduct any number of assessments for any number of facilities. This allows users to compare multiple facilities and then make informed decisions at the organizational level.”

In addition, CVF 2.0 features updated dashboards that are meant to allow users to better visualize the CVF’s risk assessments, including an output called valuation guidance — a list of prioritized action items and recommendations that shows the potential impacts of cybersecurity risks in order to demonstrate the importance of minimizing those risks. This improved interface provides a clearer picture of potential losses like equipment damage, operational downtime, and safety — all of which can be mitigated by operators through cybersecurity investments.

“Cybersecurity investments can include buying a new gateway device or security application,” Sanghvi said. “They can also look like hiring new staff dedicated to cybersecurity or training existing staff on the most current cybersecurity technologies.”

The CVF team are now working on future CVF upgrades that will convert the tool’s value-at-risk score —which measures a facility’s risk level and shows the number and types of resources needed to improve cybersecurity — into monetary values. These values will show how much money a facility could lose if risks go unaddressed, as well as what it might cost a facility to invest in technologies, processes, and employees that will help address the facility’s cybersecurity risks.

“We hope these updates will make the CVF easier to use and also more helpful for users’ day-to-day-decision-making,” said Sanghvi. “Ultimately, we want the CVF to provide users with enough information that they can see cybersecurity not as a burden but as something to improve their operations and make them more resilient.”

Nearly 38% of 445 utility companies globally had weak cybersecurity management programs as recently as 2022, according to recent research by Morningstar Sustainalytics. The figure did improve to nearly 27% in 2023, but Sustainalytics said it believes cybersecurity has become a major concern for utilities companies, according to the report, The Downside of Digital Transformation for Utilities: Data Privacy and Cybersecurity Risks.

Among the recorded incidents affecting the companies tracked in the Morningstar Sustainalytics to date, the majority of data privacy and cybersecurity incidents in the utilities sector involved breaches that compromised thousands of customers’ personal information. 

Cyberattacks have also caused service disruptions. For example, Luma Energy, a grid operator in charge of modernizing the power infrastructure in Puerto Rico, suffered a cyberattack in 2021 that blocked users from accessing their customer portal accounts during outages. Similarly, Colombian utility, Empresas Públicas de Medellín, experienced a cyberattack in 2022 that caused disruptions to its office operations as well as to customers’ meter and bill payments. Hydro-Quebec, a major grid operator in Canada, suffered an attack in 2023 that caused its app and website for verifying outages to go offline.