Security Highlight: How Security Regulation Can Help Grid Stability

Grid stability is at risk. The advent of Distributed Energy Resources (DERs), such as solar, wind, and batteries, has increased the attack surface of energy generation. While cities once had few power plants, they now host thousands of smaller, intermittent sources. These DERs are often managed by entities without uptime requirements. At the same time, traditional energy sources face greater demand fluctuations due to the intermittency of renewables. Additionally, electricity demand is growing rapidly due to new applications like electric vehicles (EVs) and data centers.

The availability of electricity is now a national security issue. Long power interruptions disrupt the economy and threaten lives. For example, the recent 12-hour power outage in Spain cost about $2 billion (Financial Times). There’s rising interest from malicious actors, including ransomware groups and nation-state attackers, in controlling the power grid. Initial incidents have already been reported, such as the 300-day infiltration of the U.S. electric grid by China’s Volt Typhoon hackers (SecurityWeek). Renewable equipment, like power inverters, often contains backdoors and can sometimes be remotely controlled (Reuters). Coordinated attacks on numerous inverters could cause incidents like Spain’s.

This situation demands a better-managed energy transition that ensures energy generation is both abundant and secure. Many grid utilities, responsible for delivering power to homes, have introduced smart meters—along with quality requirements. However, the lack of mandated security regulation leaves us with insufficient security levels and coverage across newly introduced equipment.

Fortunately, the landscape is about to change. Alarmed by the rising number and sophistication of cyberattacks, the European Union is introducing cybersecurity regulations to strengthen resilience. Starting in August, they will implement the cybersecurity requirements in the Radio Equipment Directive (RED), mandating security certification for all equipment with a radio interface sold in the EU. In two years, the Cyber Resilience Act (CRA) will further tighten security requirements for all digital products. Since DERs are digital devices, often with wireless connectivity, they will require security certification.

RED and CRA will defend against common security threats by requiring authentication for privileged access and detecting fraudulent usage. The EU is likely to gradually strengthen these rules to ensure a secure and open cyberspace. Such regulations will have a global impact, as vendors aiming to sell products on all continents will comply with CRA requirements to access the EU market.

This development benefits consumers and aligns with national security interests. While security certification incurs a cost, it will reduce expenses from recalls and litigation caused by data breaches.

Partnering with a specialized RED and CRA evaluation service provider offers peace of mind while navigating these regulations. Preparations have already begun, and Keysight is ready to support your development efforts in meeting these crucial standards with our security consultation and evaluation services.