Solving the VPP conundrum: securing the flood of energy devices and data

Posted On

By Phil Keys


At this year’s DISTRIBUTECH, two conflicting trends clearly emerged: the need for virtual power plants (VPPs) to help balance the grid and its flip side, how to secure the vast amount of devices and data that VPPs will load on to the grid. Fortunately, Intertrust Energy’s technology is purpose-built to solve these very issues.

The energy industry is doing its best to react to the demands from both its customers and government bodies. Many customers, both commercial and residential, are increasingly pushing for clean energy while governments and the private sector are looking to use clean energy as a linchpin to electrify large parts of our economy. 

Crowdsourcing the wide variety of energy devices such as solar panels, batteries, EVs, etc. that are being installed at the grid edge and using them to help support the grid through VPPs is an attractive solution. The U.S. Government has made this explicit through a number of initiatives that subsidize the transition to clean energy, most notably the Inflation Reduction Act and more specifically, a Department of Energy (DOE) Loan Programs Office initiative to directly finance VPP projects. Recognizing that the importance of AI, a critical element for VPPs, the DOE has gone as far as appointing Helena Fu as Director of the Office of Critical and Emerging Technology who will be involved with AI and other new technologies that will benefit the energy industry. 

On the other hand, electrical grids worldwide are now the direct target of sophisticated cybercriminals backed by nation states. Examples range from an attack on the Ukrainian grid in 2022, attributed to Russia, to agencies from the U.S., UK, Canada, Australia and New Zealand issuing a warning in January 2024 about the threat to electrical grids and other critical infrastructure posed by the Chinese-backed Volt Typhoon cybercriminal group


Rising government pressure 

The cyberthreats to our grid are not something that have suddenly appeared without warning.  Over the last couple of decades, numerous U.S. Government and affiliated organizations ranging from the White House to the North American Electric Reliability Corporation (NERC) have issued a number of standards and directives that affect the energy ecosystem supporting the grid. With the rise of very persistent and sophisticated attacks, complying with these is now a top priority.

While many of these may only technically apply to the utility-owned assets, forward thinking energy companies should consider how they can extend their cybersecurity compliance regimes to VPPs and the assets they control. One of the foundational standards is the NERC Critical Infrastructure Protection (CIP) reliability standard. Aimed at bulk energy systems on the transmission grid, NERC sets a baseline for implementing cybersecurity protections for the grid assets that VPPs will interoperate with. It can also be useful when considering protections for VPPs and the distributed energy resources (DERs) they  control. 

But of course, NERC CIP is not the only pressure from the government that energy companies need to account for. The White House Executive Order on Improving the Nation’s Cybersecurity was issued in May 2021, right after the Colonial Pipeline cyber attack. Focused on critical infrastructure, the Executive Order mandated that, among other actions, that Federal agencies adopt Zero Trust Architecture. Heavily implied is that critical infrastructure operators would be wise to do the same thing.

Given the myriad of potential software vulnerabilities, system misconfigurations and good old fashioned compromised employees, adopting the Zero Trust maxim of “never trust always verify” is really best practice for any cybersecurity program. Since the majority of the DERs that VPPs interoperate with are outside of an energy company’s direct control, it should be considered mandatory. One barrier, however, is that many of the cybersecurity protocols currently in use to protect energy devices, whether they are attached to the grid or behind the meter, aren’t Zero Trust-compliant.

How Intertrust XPN can help

Intertrust’s Explicit Private Networking (XPN) secure communications service is specifically designed to provide a Zero Trust compatible end-to-end environment to protect connected devices, whether they are sensors attached to a gas turbine generator or an EV charger in a garage. Using standards that have been used and proven on the Internet for some time now, XPN is a novel service that verifies the device before it transmits data and then persistently protects that data as it travels to the cloud. It does the same for any commands sent from the cloud to the device. 

XPN is not a “rip and replace” solution which requires a company to trash their entire cybersecurity infrastructure. Rather, it can be thought of as an overlay that adds an additional layer of trust and protection for energy devices and their data. XPN has been integrated into the xPP VPP system from EIPGRID and Intertrust is working with other VPP providers and utilities on XPN-enabled services. 

Of course standards are vital to the energy industry, and Intertrust, along with major energy companies, is a co-founder of the Trusted Energy Interoperability Alliance (TEIA), which is developing comprehensive security and interoperability standards for the energy industry. Intertrust is working closely with TEIA to ensure that XPN will be TEIA-standard compliant.

For an in-depth demo of XPN, just fill out this form and we’ll be in touch!