Market Insights

UL Introduces Cybersecurity Requirements for Inverters and DER 

May 03, 2023 by Shannon Cuthrell

UL and the National Renewable Energy Laboratory have developed security certification requirements for photovoltaic inverters, EV chargers, wind turbines, and other grid-connected renewable energy resources. 

Safety testing provider UL Solutions has announced a set of testable requirements for distributed energy storage and generation devices that connect to the power grid. 


NREL’s Cyber Range

Visualization of a microgrid in the NREL’s Cyber Range used for testing DERCyST, a bump-in-the-wire intrusion detection solution. Image used courtesy of NREL 


Developed with the U.S. Department of Energy-funded National Renewable Energy Laboratory (NREL) in Colorado, the requirements apply to solar photovoltaic (PV) inverters, wind turbines, fuel cells, electric vehicle chargers, and other renewable energy applications. 

The standard, published as “UL 2941,” aims to push manufacturers and vendors of distributed energy resource (DER) systems and inverter-based resources (IBRs) to prioritize security functions at the device, network, and system levels. 


Updating Standards for Stronger Security

The standard is intended to assist equipment manufacturers, asset owners, and regulatory bodies in strengthening their DER and IBR security functions. UL 2941 targets high-penetration IBRs interfacing with bulk power systems for instantaneous high wind, solar, and hybrid/storage generation. NREL’s press release mentions that UL 2941 sets a baseline for boosting the security of network-connected IBRs, monitoring devices, and software- and firmware-based controls. 

NREL supported the development of UL 2941, based on its Outline of Investigation (OOI) titled “Cybersecurity of Distributed Energy and Inverter-Based Resources.” 


Renewable energy

Renewable energy. Image used courtesy of Pixabay


UL Solutions, a division of leading safety testing firm UL (formerly Underwriters Laboratories), will use the OOI to test commercial IBR and DER products. Devices complying with UL 2941 will be eligible for certification. UL’s press release stressed that the testing is meant as an optional add-on service for IBRs alongside the existing UL 1741 certification, which governs the use of inverters, converters, controllers, and interconnection system equipment with DERs.  

UL and NREL plan to use the OOI to test devices in NREL’s research hub, including using its Advanced Research on Integrated Energy Systems Cyber Range


Renewables Bring Cybersecurity Threats

As NREL noted in a 41-page document outlining its cybersecurity certification recommendations, a growing number of grid-edge DERs are joining the nation’s infrastructure as the market moves from utility-scale to distributed energy generation. This coincides with the increasing adoption of rooftop solar PV and battery storage systems. But as a consequence, this level of uptake expands the surface for potential attacks. 

The new UL 2941 standard addresses these challenges by establishing a testing procedure to spot gaps in DER security functions. Working with New Mexico-based Sandia National Laboratories, DER trade organization SunSpec Alliance, and various industry partners, NREL developed ten test cases to demonstrate that DERs have the functionalities needed to secure devices in an interconnected power system. Their recommendations cover Transport Layer Security (TLS), key updates, message authentication and management, expired and revoked certifications, audits, and service versions. 


Certification test results with and without DERCyST

Certification test results with and without DERCyST. Image used courtesy of NREL


NREL performed two tests on industry-standard PV inverters and PVs equipped with an intrusion detection communication device called DERCyST. The former failed all but one test case, illustrating that existing commercial PV systems are vulnerable to attacks, including eavesdropping, man-in-the-middle and denial-of-service attacks, spoofing, and other common threats. However, the latter certification test (using DERCyST) passed all parameters, as shown in the image above.