Joshua Sturtevant, Van Hilderbrand, Jeffrey Karp and Morgan Gerard, all of Sullivan & Worcester, explore grid cybersecurity in Reforming the Energy Vision (REV).
As the energy system evolves from a macro-utility-centric model to a distributed energy smart grid, a new concern has arisen quite separate from the more publicized battles over net metering and utility mandates — cybersecurity.
According to Smartgrid.gov, cybersecurity threats include “deliberate attacks launched by disgruntled employees, agents of industrial espionage, terrorists, and other adversaries, but also inadvertent compromises of the information infrastructure due to user errors, equipment failures, and natural disasters.” The cybersecurity threat to the energy market is not new as the U.S. Department of Energy (DOE) has been involved in roadmapping activities to address cyber security threats and improve cyber resilience since 2004.
With the rise of competitive distributed energy resources (DERs), the New York State Public Service Commission (PSC) has placed new emphasis on securing the grid against cyber-threats. The PSC, a pioneer in restructuring the market to promote DERs, addressed cyber-vulnerabilities to the New York grid system in its recent Reforming the Energy Vision (REV) ruling.
Under REV, utilities will be deployed as central managers of multiple DERs. While this new vision will ensure that disparate distributed generators will be integrated into the broader grid, it could create vulnerabilities related to both energy disruptions and security. As a result, New York has, for the first time, suggested requiring that utilities monitor standards for non-utility DER providers with an eye toward protecting the grid from cybersecurity attacks directed at particular DERs. This move will ensure minimal security-related disruptions to supply and the protection of vulnerable customer information data.
Potential Cybersecurity Regulation May Increase Costs for Distributed Energy Providers
In allowing utilities to monitor cybersecurity standards for non-utility DER providers, the PSC should consider that such activities likely will increase competitive energy suppliers’ costs. Traditionally, utilities have borne the cost of cybersecurity, which could then be recouped through ratemaking procedures. However, financing renewable DERs is oftentimes already a high-wire balancing act of tax equity, project finance, power purchase agreements, and fixed returns. Adding a cybersecurity cost to the mix, which may include purchasing a particular type of software, re-training personnel, preparing compliance reports, and conducting monitoring, would increase operating costs and thus decrease investor returns. It is also possible that investors will attach new risk premiums to projects to account for the added costs of security compliance.
Because utility-like cost sharing mechanisms are not currently in place for DERs, and given that grid security is a common good, the PSC and other utility commissions could demonstrate their commitment to a more renewable, DER friendly grid infrastructure by enacting incentive programs that drive intended results. The state has taken great strides in meeting its public policy goal of deploying DERs by utilizing innovative public-funded incentive programs. For example, the state has established numerous energy incentives, including a renewable portfolio standard (RPS), green bank, and solar, efficiency, and electric vehicle programs. Moreover, New York City’s mayor’s office implemented INITIATIVE 13 with the goal of developing 800 MW of clean DERs on city-owned sites; an element of this program has been to advocate for ratepayer-funded DERs. Similar approaches could be deployed state-wide to ensure that private investment is not chilled and to ensure an efficient reallocation of costs in a more distributed generation-centric landscape.
To truly encourage DER deployment, the cost allocation between distributed energy providers and users of the macro-grid must be effectively managed. In the wake of the REV ruling, utility plans are due to the PSC by December 15, 2015, and a comment period is expected thereafter on topics including DER cybersecurity measures. Interested parties should be involved in this process to ensure that additional project costs related to cybersecurity risk management are addressed.
More information about Sullivan & Worcester’s Energy Group is available here.