Date Published: May 10, 2024
Comments Due:
Email Questions to:
Author(s)
James McCarthy (NIST), Jeffrey Marron (NIST), Don Faatz (MITRE), Daniel Rebori-Carretero (MITRE), Johnathan Wiltberger (MITRE), Nikolas Urlaub (MITRE)
Announcement
The use of small-scale solar energy systems to generate electricity continues to increase. Smart inverters provide two critical functions to a small-scale solar energy system: they convert the direct current (DC) produced by solar panels to the alternating current (AC) used in homes and businesses, and they manage the flow of excess energy to the local electric grid.
This report provides practical cybersecurity guidelines for small-scale solar inverter implementations typically used in homes and small businesses. The report also presents recommendations to smart inverter manufacturers to improve the cybersecurity capabilities in their products.
These recommendations build on the IoT cybersecurity capability baselines defined in NIST IR 8259A and NIST IR 8259B by providing smart-inverter specific information for all baseline cybersecurity capabilities.
NOTE: A call for patent claims is included on page ii of this draft. For additional information, see the Information Technology Laboratory (ITL) Patent Policy – Inclusion of Patents in ITL Publications.
The use of residential and light-commercial inverters connected to the distribution network and not directly owned and operated by the utility to generate electricity for homes and small businesses continues to increase. In addition to supplying power to individual homeowners and small business owners these systems can supply power to the electric grid.
Smart inverters provide two critical functions to a small-scale solar energy system; they convert the direct current (DC) produced by solar panels to the alternating current (AC) used on the electric grid, in homes, and businesses. They also manage the flow of excess energy to the electric grid. The “smart” in smart inverter allows these devices to assist the local electric utility in addressing anomalies on the electric grid. However, properly responding to anomalies requires that the smart inverter be configured to behave in a grid-friendly, supportive manner. An improperly configured inverter can respond in inappropriate ways that exacerbate anomalies.
While one smart inverter is unlikely to have significant impact on the grid if it is misconfigured, a large number of misconfigured smart inverters could have a negative impact on a utility’s efforts to address anomalies. If a malicious actor were able to deliberately misconfigure many smart inverters, grid stability and performance could be impacted.
This report provides practical cybersecurity guidance for small-scale solar inverter implementations typically used in homes and small businesses. These guidelines are informed by a review of known smart inverter vulnerabilities documented in the National Vulnerability Database (NVD), a review of information about known smart inverter cyber-attacks and testing five example smart inverters. The report also provides recommendations to smart inverter manufacturers for cybersecurity capabilities needed in their products to implement the seven guidelines. These recommendations build on the Internet of Things (IoT) cybersecurity capability baselines defined in NISTIR 8259A and NISTIR 8259B by providing smart-inverter specific information for some of the baseline cybersecurity capabilities.
The use of residential and light-commercial inverters connected to the distribution network and not directly owned and operated by the utility to generate electricity for homes and small businesses continues to increase. In addition to supplying power to individual homeowners and small business...
See full abstract
The use of residential and light-commercial inverters connected to the distribution network and not directly owned and operated by the utility to generate electricity for homes and small businesses continues to increase. In addition to supplying power to individual homeowners and small business owners these systems can supply power to the electric grid.
Smart inverters provide two critical functions to a small-scale solar energy system; they convert the direct current (DC) produced by solar panels to the alternating current (AC) used on the electric grid, in homes, and businesses. They also manage the flow of excess energy to the electric grid. The “smart” in smart inverter allows these devices to assist the local electric utility in addressing anomalies on the electric grid. However, properly responding to anomalies requires that the smart inverter be configured to behave in a grid-friendly, supportive manner. An improperly configured inverter can respond in inappropriate ways that exacerbate anomalies.
While one smart inverter is unlikely to have significant impact on the grid if it is misconfigured, a large number of misconfigured smart inverters could have a negative impact on a utility’s efforts to address anomalies. If a malicious actor were able to deliberately misconfigure many smart inverters, grid stability and performance could be impacted.
This report provides practical cybersecurity guidance for small-scale solar inverter implementations typically used in homes and small businesses. These guidelines are informed by a review of known smart inverter vulnerabilities documented in the National Vulnerability Database (NVD), a review of information about known smart inverter cyber-attacks and testing five example smart inverters. The report also provides recommendations to smart inverter manufacturers for cybersecurity capabilities needed in their products to implement the seven guidelines. These recommendations build on the Internet of Things (IoT) cybersecurity capability baselines defined in NISTIR 8259A and NISTIR 8259B by providing smart-inverter specific information for some of the baseline cybersecurity capabilities.
Hide full abstract
Keywords
IoT cybersecurity capabilities; light commercial inverter; residential inverter; small-scale solar energy system; smart inverter cybersecurity
Control Families
None selected
