Cybersecurity risks in AI-driven energy flexibility solutions

The integration of artificial intelligence (AI) into virtual power plants (VPPs) has advanced energy efficiency and flexibility. However, AI energy innovation also poses significant cybersecurity challenges that stakeholders must address to safeguard critical infrastructure. 

To give some background, over the last several years, the number of cyberattacks on electrical energy companies has greatly increased. For example, between January to August 2024, the number of attacks on U.S. utilities jumped 70% compared to the same time frame in 2023. Given that many of these attacks are attributed to sophisticated nation-state backed cybercriminals, as adoption of flexibility solutions such as VPPs increases, we can expect that these too will become a target. What potential dangers lie ahead in the integration of these AI-enabled solutions? 

Vulnerabilities in AI-enabled energy flexibility

VPPs are evolving to include a wider range of energy sources, monitoring devices and participants. The production of IoT devices to support the growth of VPPs is generating an immense quantity of energy monitoring sensors that lack robust security features, making them easy targets for cyberattacks. 

The integration of diverse VPP devices and communication links, ranging from industrial to consumer types, means that overall security of a VPP hinges on the weakest link. For VPPs that comprise smart home energy management platforms, this can exist in device, software, or communication protocols, leading to a large and dynamic attack surface. This increases the complexity of securing VPPs across the energy sector. Here’s how each component contributes to the risk:

Vulnerable devices

Energy networks connected within VPPs are particularly susceptible to attacks due to the diversity of their components. Solar panels, geothermal generators, battery arrays, among others, could face attacks, where by disabling sensors, cybercriminals can manipulate the VPP behavior, leading to inefficiencies or disruptions.

• Some monitoring sensors and VPP communication gateways are built with limited processing power and minimal security features to keep costs down, which compromises security. Chief of these is the lack of proper protection of cryptographic keys and resilience against buffer overflow attacks. These limitations make it easier for cybercriminals to penetrate and take over these devices.
• Supply chain attacks are a growing threat where compromised devices are introduced to VPPs during manufacturing or distribution, embedding vulnerabilities directly into home energy systems before deployment. Once deployed, such devices can be exploited to compromise the entire VPP system.
• VPP communication gateways that bridge homes to broader VPP systems are particularly vulnerable to physical tampering. Attackers can gain access to the IoT devices in the home or at VPP infrastructure level through software or firmware and introduce malicious code to interfere with VPP functionality.

Weak software

Infecting VPPs with malicious software can result in lucrative opportunities for cybercriminals to perform unauthorized data encryption or data control, disrupting operations. In critical VPP infrastructure, which includes legacy monitoring sensors ranging from smart thermostats to solar panel voltage conversion monitors, there is an inherent vulnerability to malware and ransomware attacks. 

• Devices orchestrated by a VPP with outdated or unpatched device firmware are a major vulnerability. Attackers can exploit known security flaws in outdated software to gain unauthorized access or disrupt system functionality. 
• Insecure APIs interfacing with sensors and energy generators within a VPP present a critical risk. Energy monitoring sensors often communicate using application programming interfaces (APIs) that are not properly secured, allowing unauthorized access to VPP data.
• VPP monitoring infrastructure often lacks the sufficient Security Incident and Event Management (SIEM) technology for logging and monitoring, which makes it difficult to detect or respond to attacks. Without real-time monitoring, attacks may go unnoticed until significant damage is done.

Insecure networks

VPPs depend on the seamless connectivity of numerous devices and systems. VPP hyperconnectivity exposes various cyberthreats; for example, in device spoofing attacks, criminals can impersonate legitimate devices, such a smart heater or a wind turbine, potentially gaining unauthorized access to an entire VPP through these devices.  One method to accomplish this is the Man-in-the-Middle (MITM) attack, a favorite of cybercriminals, where Interceptors can alter communications between distributed energy resources (DERs) and control VPP systems.

• Unsecured communication protocols are a common problem in distributed energy resources (DERs). In VPPs, diverse arrays of DERs communicate over networks that may lack end-to-end encryption, making them vulnerable to Man-in-the-Middle attacks.
• VPPs and new emerging AI-enabled flexible energy applications often utilize a range of communication protocols (e.g., Zigbee, Modbus, or mesh network-based protocols) for their DERs. Some DERs may only support a single communication protocol, such as Zigbee, requiring protocol translation gateways to integrate with the rest of the VPP network. These “patches” can introduce additional vulnerabilities into the infrastructure. Retrofitting security measures to legacy communications is complex and often not future-proofed. This diversity of communication protocols requires the development of multiprotocol gateways or unified standards to facilitate interoperability.

The absence of standardized security protocols for DERs can lead to inconsistent protection across VPPs and energy monitoring platforms. Many efforts are being made to harmonize security and communication among all components in energy networks—particularly in VPP scenarios where consumer data needs to comply with privacy policies. One notable such activity is the Trusted Energy Interoperability Association (TEIA). Yet, there are still many steps to take before reaching a comprehensive and standardized security framework.

Interoperability and security between all components in a VPP remains a significant challenge. Initiatives exist to standardize interoperability among all VPP DERs, but for example, smart home energy management devices are often built with limited resources, memory, and power. These constraints pose challenges for implementing robust VPP interoperability solutions.

Mitigating cybersecurity risks with XPN

To address these challenges, adopting a zero-trust architecture is essential. Intertrust’s Explicit Private Networking (XPN) offers a solution by providing end-to-end security for data both at rest and in transit, from devices to the cloud and back. XPN’s features include:

• Persistent data protection: Data integrity is continuously protected both at rest and in transit
• Network protocol-independent data protection: XPN’s data protection is independent of any protection provided by the underlying network protocol, which may not be reliable
• Granular command authorization: Commands sent to devices are authorized through a granular policy-based framework with permissions enforced at the deep edge
• Entity attestation: Following zero-trust architecture principles, device and application entities in the XPN-enabled ecosystem are continuously verified for identity 

By implementing XPN, energy businesses can enhance the security of their AI-enabled energy systems, mitigating risks associated with cyber threats. Consider VPPs which bridge consumer residential communication getaways and smart home management systems with grid orchestration infrastructure and software platforms covering large areas. In these larger regions there exists a multitude of DERs sharing information across themselves, VPPs and the critical grid infrastructure. Residential gateways manage consumer DERs, such as rooftop solar panels. These gateways handle and transmit private consumer information that needs to be protected both for the consumer’s sake as well as to comply with regulations. In the wrong hands, gateway data could be purposely altered and potentially disrupt the grid. VPP ecosystems can benefit from XPN protecting information from the home to grid and back.

Conclusion

As the energy sector increasingly adopts AI-driven flexibility solutions, it is imperative to prioritize cybersecurity. Implementing comprehensive security measures, such as zero-trust architectures facilitated by solutions like XPN, can help protect critical infrastructure from evolving cyber threats.

Energy sector stakeholders should assess their current security frameworks and consider integrating XPN to bolster their defenses against cyber threats. Proactive steps taken now can prevent potential disruptions and ensure the integrity of energy systems moving forward.