This paper describes objective technical results and analysis.

Any subjective views or opinions that might be expressed

in the paper do not necessarily represent the views of the U.S. Department of Energy or the United States Government.

SAND2018-4532J
Power System Effects and Mitigation Recommendations for DER Cyber Attacks
Jay Johnson 1*, Jimmy Quiroz 1, Ricky Concepcion 2, Felipe Wilches-Bernal2, Matt Reno2

1 Renewable and Distributed Systems Integration, Sandia National Laboratories, P.O. Box 5800, Albuquerque, USA
2 Electric Power Systems Research, Sandia National Laboratories, P.O. Box 5800, Albuquerque, USA
*jjohns2Asandia.gov

Abstract: Extensive deployment of interoperable distributed energy resources (DER) on power systems is increasing the power
system cyber security attack surface. National and jurisdictional interconnection standards require DER to include a range of
autonomous and commanded grid support functions, which can drastically influence power quality, voltage, and bulk system
frequency. In this paper, we investigate the impact to the power system in scenarios where communications and operations of
DER are controlled by an adversary. The findings show that each grid-support function exposes the power system to different
types and scales of risk. Detailed case studies are performed for distribution system voltage regulation and transmission system
support during contingency events. Finally, recommendations are presented for minimizing the risk using engineered
parameter limits and segmenting the control network to minimize common-mode vulnerabilities.

increases significantly when extending communications to

1. Introduction
The interconnection of power electronics-interfaced
distributed energy resources (DER)—like photovoltaic (PV)
inverters and energy storage systems (ESSs)—has been
increasing worldwide for the last two decades due to
renewable portfolio standards, environmental standards, and
customer preference [1]. These devices have traditionally been
designed to not participate with grid operations and to
disconnect from the grid when there are voltage or frequency
disturbances, per the U.S. interconnection standard, IEEE
1547 [2]. However, renewable energy penetrations have
reached a point where challenges with voltage regulation,
protection, and bulk system control are becoming an issue
because DER are displacing thermal plants with inertialess,
non-dispatchable, variable sources of generation [3-5].
To mitigate these challenges, utilities, independent system
operators (ISOs), distribution system operators (DSOs), and
transmission system operators(TSOs)are pushing for updated
DER interconnection standards which include DER grid-
support functions. For instance, the California Public Utilities
Commission (CPUC) updated Electric Rule 21 in early 2015
[6] to include seven autonomous grid-support functions and
Hawaii Rule 14 was updated to include new grid-support
functionality for DER [7]. Similar changes to interconnection
standards and grid codes have been occurring in Italy,
Germany, Austria, Australia and New Zealand, and other
places around the world [8-10].
In the majority of these regions, grid-support functions are
programmed before installation and operate with fixed settings
for their lifetimes. However, a proposal in front of the CPUC
[11] and a draft revision to IEEE 1547 [12] require DER
communications. Interoperability allows commanded
functions to be employed and autonomous function parameters
can be changed. The cyber security risk to the power system
DER devices because the utility supervisory control and data
acquisition (SCADA) controls are now issued over public
internet channels as opposed to using the traditional dedicated
telecommunications lines. Some larger DER plant controllers
connect to grid operators through fiber-optic cables, copper
telephone lines, cellular modems, and microwave or other
radio relays [13], so there are several access points to these
systems.
Many utility-scale systems use DNP3, IEC, or RTU
communications to the PV plant [14-16]. Residential and
commercial DER manufacturers typically communicate to
their equipment using a gateway device which in turn
communicates Modbus to the power equipment. The Modbus
maps are often proprietary but more recently there has been
heavier adoption of SunSpec Alliance de facto standard
information models [17]. The Modbus protocol does not
provide confidentiality (e.g., native encryption), authentication,
or authorization capabilities. For this reason, it is difficult to
ensure data integrity between aggregators or utilities and the
DERs.
Other protocols—such as IEEE 2030.5 Smart Energy
Profile 2.0 (SEP2) [18], IEEE 1815 (DNP3) [19], or
OpenADR 2.0 [20]—include encryption capabilities, but DER
vendors designed their equipment with limited computing
power to minimize costs so these devices may not be capable
of encryption. An EPRI-led California Solar Initiative project
investigated the use of'bolt-on' protocol translator options for
DER devices (e.g., SEP2-to-Modbus)[21] and found that this
was a method of providing greater levels of security to
communication networks [22]. The California Investor-
Owned Utilities have all committed to use IEEE 2030.5 when
issuing communication commands to aggregators and DER
devices, though they may use other protocols (such as IEEE
1815 or Inter-Control Center Communications Protocol

Sandia National Laboratories is a multimission laboratory managed and operated by National Technology & Engineering Solutions of Sandia, LLC, a wholly owned
subsidiary of Honeywell International Inc., for the U.S. Department of Energy’s National Nuclear Security Administration under contract DE-NA0003525.
(ICCP)/IEC 60870-6) when communicating to utility-owned
assets.
2. Grid-support functions
DER grid-support functions and associated test protocols
were developed in early work at EPRI and Sandia National
Laboratories [23-25], and standardized in IEC 61850-90-7 [26]
and the forthcoming revision to IEC 61850-7-420 [27], IEEE
1547, UL 1741 [28], and other state, national, and
international standards. These functions provide grid operators
new protection, voltage regulation, frequency control, and
monitoring capabilities. Example functions from IEC 61850-
90-7 are shown in Fig. 1. While there are slight differences in
these functions between standards [29], there are many
commonalities. In this work we will use the IEC 61850-90-7
naming convention.
Grid-support functions are principally designed to assist grid
operators with large frequency and voltage variations [30]. To
prevent interactions of the inverters with voltage regulation
equipment and avoid interactions with automatic generation
control (AGC) and regulation generators, autonomous
functions are designed with deadbands around nominal
voltage and frequency. Additionally, the response time, and
ramp rate of many of the functions can be programmed to
prevent adverse interactions with the existing power system
controls. If these parameters are misconfigured or changed
maliciously, the orchestrated control interactions of power
system regulation equipment may conflict.
3. Distribution Cases
3.1. Volt-var(VV)control
One of these most common distribution voltage regulation
functions is the "volt-vaC function, which adjusts the DER
reactive power based on grid voltage. When properly
designed, the DER will absorb reactive power at high voltages,
and produce (or inject) reactive power into the power system
at low voltages. This reactive power compensation has been
studied extensively [31-32] and is required in European and
American interconnection standards [9].
Recently, Sandia National Laboratories developed a
hierarchical control mechanism to shift a watt-priority VV
curve for steady-state voltage control [33-34]. Unlike
traditional VV, this controlled VV function dispatches new
VV parameters to the inverters regularly (every 1-20 seconds)
to reduce the likelihood of exiting ANSI Range A voltages
(0.95-1.05 p.u.).
Multiple distribution system simulations of a rural 12 kV
distribution feeder serving a highly commercial load area (see
[33] for feeder details) were conducted for the controlled VV
function and compared to feeder voltages when the VV
parameters were maliciously changed due to cyber-attack. In
one attack, the VV curve parameters of the default VV curve
were flipped about the zero reactive power line, as shown in
blue VV curve in Fig. 2. This caused the inverter to drive the
feeder away from nominal voltage by producing reactive
power at high voltage and absorbing reactive power at low
voltage. The second example considered an attack which
changed the VV curve so the DER always produced 42% of
the reactive power nameplate, as shown in dashed-red in Fig.
2. The resulting inverter behavior resulted in the reactive

Voltage Support Frequency Support Grid Protection

• Adjust Power Factor(INV3)
• Vott-Var Mode(VV11,W12. VV13)
---> V
N \,/
• Dynamic Reactive Power (TV31)
(Response to Disturbances)
• Adjust Maximum Active Power (INV2)
• Connect/Disconnect (INV1)
p
r -
{ t
>
Request Active Power from Storage Low and High Voltage Ride
(INV4) Through (L/HVRT)
> V, ,,

TQ Ir
Signal for Charge/Discharge (INV5) Low and High Frequency
• Volt-Watt Mode (VW51: VW52)
t Ride Through (L/HFRT)^
f II

>1 f
*\
Frequency-Watt Mode (FW21. FW22)
• Watt-Power Factor (WP41. WP42) PI
Temperature Mode Behavior
(TMP)

PFT _ > Te m p

Fig. 1 IEC 61850-90-7 grid-support functions. *L/HFRT was not originally included in the IEC report, but is a common
function in interconnection standards.

2
power production always driving a voltage increase on the profiles, like the snapshot shown in Fig. 4, illustrate the
distribution circuit. potential for dangerously high voltages, up to -1.12 p.u.
(134.2 on a 120.0 V base) when the inverters are improperly
0.5 programmed. U.S. utilities must keep service voltage levels
Reactive Power (pu)

below the ANSI C84.1 Range A upper threshold of 1.05 p.u.

However, in the inverted VV and constant VAr attack
simulations, the feeder voltage at the inverter point of
0 common coupling (PCC) was above that limit for 61.2 and
89.0 hours over the course ofthe simulated week.

3.2. Fixed powerfactor

-0.5
0.94 0.97 1 1.03 1.06 The fixed power factor(PF)function is a useful tool for grid
Voltage (pu) operators to control voltage deviations from DER because the
reactive power scales with the active power from the devices.
-Unity PF -Default VV ----Inverted W - - Constant Var In cases where voltage deviations are caused by DER, the PF
Fig. 2 Volt-var plane comparisons for cases simulated. can be used to compensate with a proportional quantity of
reactive power. However, like the volt-var function, if the
adversary controls the DER PF settings, feeder voltages could
- Unity PF(42.5 hrs)
- Default W (24.9 hrs)
be increased significantly beyond ANSI limits. Fig. 5 shows
- Controlled W(0 hrs) the resulting maximum voltage when a watt-priority PF was
- Inverted W (61.2 hrs)
- - - Constant VAr(89 hrs)
fixed at 0.9 for one day. As is visible in the dip at solar noon,
the voltage in this case was limited near peak power
A
production as the reactive power was curtailed to allow the
inverter to generate the available active power without
c 1.08
'5 exceeding the apparent power limit ofthe DER.

1.05 -
-Default W
-Controlled W
1 02 •-t• -Attacked
0 1 2 3 4 5 8 7
Day
Fig. 3 Maximum feeder voltage comparisons for simulation I 1.08
week with attack cases.

2
1.05

1.12 -Unity PF
-Default VV
-Controlled VV
1.1 -Inverted VV 1.02
- - - Constant VAr Day 7

S 1.08 Fig. 5 Maximum voltages for VV/SS-voltage distribution

system control case with attack case results.

Overvoltages of the magnitude demonstrated from both the

00 1.04
1.02
O 0.5 1 1.5
Distance from Substation(km)
Fig. 4 Feeder voltage profile for different reactive power
control modes.
Fig. 3 shows the resulting maximum 10-minute average
voltages resulting from the attack cases simulated in
comparison to the fixed unity PF function, default VV-shifting
case, and uncontrolled VV function. The feeder voltage
VV and PF attacks would result in DER tripping or possible
equipment damage. Generally, equipment is protected from
voltage excursions by voltage stabilizers, but some products
like air conditioners, refrigerators, or computer equipment
could be damaged by voltages deviations. Standards for
2 2.5 3 3.5 4 4.5 5 voltage limits are described in ANSI C84.1 for steady-state
utility service voltages, in Information Technology Industrial
Council (ITIC)-superseding the Computer and Business
Equipment Manufacturer Association (CBEMA) curves-for
transient voltage requirements for computers, SEMI F47 for
the semiconductor industry [35], or IEEE Std 1668-2017 [36]
for general equipment.
However, those simulations assumed no restrictions on the
maximum voltage level. Both legacy and new inverters
3
compliant to CA Rule 21, HI Rule 14H, or the forthcoming
IEEE 1547 full revision will trip off with steady-state voltages
above 1.10 p.u. [37-38]. Per the IEEE Std.1547-2005, most
inverters presently interconnected to the US power system
would disconnect when PCC voltages exceeded 1.1 p.u. In the
latest revision of IEEE 1547 (expected in 2018), this will not
change, as the voltage ride-through requirements state that
DER to cease to energize within 0.16 seconds and trip
between 12-13 seconds for voltages above 1.1 p.u.
Unfortunately, in cases of high penetrations of PV power
production, this could cause grave system impacts; when the
inverters trip from high or low voltage events, the loss of this
generation and reactive power contribution could exacerbate
the voltage deviation or, from a transmission perspective,
threaten grid stability ifenough ofthe DER separated from the
electric power system, as discussed in the transmission case.
4. Transmission Cases
DER devices that interface with the larger grid through
power electronics, show promise in improving grid functions
because of their ability to adjust output nearly instantaneously.
Contrary to traditional rotating mass generation, these
inertialess sources must respond to disturbances through
intelligent control based on measured or communicated
signals rather than physical means like electro-mechanical
coupling. As a result, these devices exhibit vulnerabilities to
adversaries primarily through parameter adjustment or remote
signal manipulation.
In this section, we examine the extent of these
vulnerabilities for a selection of control cases. Because many
control cases are negative feedback-based, we identified that
inducing positive feedback would be the worst-case scenario
and would result in undamped or unstable oscillatory behavior.
The system used for the transmission case in this study is a
reduced model of the US North-eastern interconnection. The
model has 140 buses and 48 generating units. In this model,
roughly 50% of the total generation produced by conventional
generation was substituted to stem from DER. A loss of
generation event was considered and corresponded to the loss
of a unit producing 655 MW or nearly 2.3% ofthe total power
in the system.
4.1. Frequency Droop
DER are increasingly responsive to frequency fluctuations
and can participate in the primary frequency regulation of the
system [39-40]. Typically, the control mechanism they use to
provide this type of regulation is a proportional control action
similar to the governor droop found in conventional
generation [41]. This type of control is also known as the
frequency-watt function when the function is linear.
Traditionally, the signal the DER control and respond to is a
local measurement of frequency on the bus they are
interconnected. Previous research has shown that using a
global (or average) system frequency instead of a local one is
beneficial to the regulation provided by DER [42].
z 60
-10
1=g
59.9
-30
59.7 -40
0 10 20 30
Time [s]
(a) Conventional droop
4 60
'59.9
59.8 -30
59.7 -40
0 10 20 30
Time [s]
(b) Communication-enabled droop
Fig. 6 System frequency response for the loss of generation
event. Top: conventional droop. Bottom: communication
enabled droop [42].
This section studies the effects on the initial frequency
response of the system when the control action provided by
DER is corrupted by a malicious attack. The scenario
considered is when the control action is inverted, which means
that DER will decrease their power output when the frequency
drops, exacerbating the initial power imbalance. This action is
achieved by using a negative droop gain (or inverting the
frequency-watt function). Fig.6 shows the frequency response
of the system for the loss of generation event described above
when the proportional gain of the DER included in the system
has different negative values ranging from -1 to -40. Fig. 6a
shows the results when the feedback signal to the droop
control of the DER is the local bus frequency. These results
show that the decrease in system frequency is exacerbated by
the DER action, as anticipated. With negative values of droop
gain of -25 and beyond, the system loses synchronism which
is observed in Fig. 6Fig. a as the average frequency becomes
underdamped. Note the time it takes the system to go unstable
decreases as the negative gain increases. Fig. 6b shows the
results for the case when the feedback signal of the DER is an
average signal of the system. These results show the same
behavior as those in Fig. 6b with the system losing
synchronism for gains of-25 and below.
4.2. Synthetic Inertia
Synthetic inertia enables DER to participate in the primary
frequency response by emulating the inertial response of
traditional generators. The active power output of the DER is
4
proportionally adjusted in response to the measured frequency
derivative using the curtailment for PV inverters or the active 0
power setpoint for energy storage systems. Because of the
60 -20
control law's negative feedback nature, synthetic inertia is also
vulnerable to parameter adjustment via negation ofthe inertial -40
59.95
gain. Fig. 7 shows the system frequency response with -60
synthetic inertia deployed having different inertial gain values -80
59.9 —
in the range of 0 to -125. Simulation results indicated system
cn -100
instability with gains beyond -125. Comparing to the case
without any feedback controls enabled, the negative gain 59.85 120
0 10 30 40
values adversely affect the system response, more so as the
magnitude of the gain increases. However, the system does
remain robust against this type of parameter adjustment within Fig.8 System frequency response with communication-
this range of gains. On the other hand, if the controller gain enabled synthetic inertia using different controller gains.
were aggressively tuned to higher values for a stronger
response, then negation of it could lead to instabilities after
system disturbances. 60 0
The concept of communication-enabled synthetic inertia N -20
(CE-SI) was found to have promise in improving the system -40
inertial response [43]. This variation on synthetic inertia uses a Es 59.95
G-1 -60
system-averaged frequency for its control law, like that of the
similarly named droop scheme in the previous section. This -80
system frequency must be computed using remotely 59.9 -100
— No control
communicated information and introduces potential latency -120
and vulnerabilities through the communication channels 0 10 20 30 40
Fig. 8 shows how the system response changes with CE-SI Time [s]
deployed—note the range of stable gains for CE-SI is slightly
Fig.9 System frequency response with communication-
smaller than that of SI. Fig. 9 shows the results for when 500
ms of communication latency is considered; the latency can be enabled synthetic inertia plus 500 ms of communication
observed by the shifted frequency nadir locations. Contrary to latency for the system frequency signal.
intended performance, the introduction of communication 4.3. Feedforward control: Communication-Enabled
latency increases system robustness to parameter adjustment, Fast-Acting Imbalance Reserve
allowing for higher magnitude controller gain before
experiencing instability. DER can also participate in the primary frequency
regulation of the system using a feedforward control strategy
named Communication-Enabled Fast-Acting Imbalance
Reserve (CE-FAIR) using the curtailment function [44]. In
0
60
this approach, DER are controlled with an order that is
-20
constructed based on power imbalances. Once a significant
-40 power imbalance has been detected, DER in the system are
s.s 59.95 redispatched to reduce the power imbalance and its effect on
-60
-80 d the frequency of the system. In CE-FAIR, the amount of the
t 59.9 power imbalance to be provided by DER is determined by a
-100
parameter, rl, known as the power compensation level. An ri
-120
value of 1 means all the power imbalance is compensated by
10 20 30 40
Time [s]
the DER action commanded by CE-FAIR. The redispatch and
identification of power imbalances in this method occurs
Fig. 7 System frequency response for different inertial gain through communication networks and hence are vulnerable to
values. attacks. If the power imbalance is misidentified or the
command order to the DER is reverted, the CE-FAIR action
may act to further increase, rather than reduce, the power
imbalance.
In this work, the effect that CE-FAIR has on the frequency
regulation of the system when its action is corrupted is
investigated. Fig. 10 shows the frequency response of the
system for the loss of generation event for cases when the
power compensation level (n) ranges from 0 to -1. The case
when ri is zero is the same as the no control case. The case

5
where 71 is -1 corresponds to the case where DER reduce their
power to match the original drop; the total drop experienced
by the system doubles from the original. These results show
that the frequency of the system experiences a much larger
drop and both the settling frequency and the frequency nadir
of the system are reduced with respect to the no control case.
It is important to note that even though the overall response of
the system is affected, the system does not lose synchronism
even for the worst case ofn = —1. This result contrasts with
the results outlined in the two previous sections where the
controls acting contrary to their intended action can make the
system lose synchronism. The reason for this difference is the
two previous control strategies are based on feedback control
and the compromised control strategies correspond to positive
feedback where even small events can drive the system into an
unstable regime. CE-FAIR, being a feedforward control action,
cannot be exploited in the same manner and is therefore less
deleterious to the system when its action is corrupted by an
attack.
Since CE-FAIR relies on communications, it is reasonable
to expect that its action is subject to a certain latency. The
effects of this latency when the control CE-FAIR control
action is harmful to the system are presented in Fig. 11. In
these results, the power compensation level was set to -1. The
results in Fig. 11 show that because the control action is
delayed, the initial change in the frequency is not increased
and the initial negative effect of the CE-FAIR action to
RoCoF is reduced.
60 10
'CT - - -No control
4c.r 59.95
,
c])
-4
cip 59.9
0 10 20 30
Time [s]
Fig. 10 System frequency response for different power
compensation level values.
= -1
60
N - - -No control
4 59.95
r'
)
. 59.9
0 10 20
Time [s]
Fig. 11 System frequency response when ri = —1 for
different cases of delay in the control action.
ISO-NE references NERC Reliability Standard PRC-006-
NPCC "Automatic Underfrequency Load Sheddine [44], as
its operating procedure [45], which states that Distribution
Providers and Transmission Owners in the Eastern
Interconnection must implement their first stage of
underfrequency load shedding (UFLS) at 59.5 Hz. Therefore,
the manipulation ofthe CE-FAIR controller would not cause a
loss of load, unlike the unstable cases for CE-SI and
frequency-droop (i.e., FW). However, balancing regions with
less inertia or greater penetrations of inverter-based DER,like
Hawaiian grids, could experience load shedding in these
scenarios [46-47].
5. Power System Risks and Mitigations
Based on the findings in distribution and transmission case
studies, it is possible to predict the influence of adversary
control of DER networks for many different grid support
functions and defend against these types of attacks. In this
section, we present the anticipated effects of malicious control
over DER advanced grid-support functions and then provide
two potential defense-in-depth security elements to minimize
the power system impact. The first is a set of device-level, pre-
programmed firmware or software rules designed to prevent
DER from entering unsafe operating regions; and the second is
a methodology for architecting the DER control network such
that the power system impact from common-mode attacks are
minimized, i.e., a means of isolating the extent of the attack.
These two defensive mechanisms should be implemented in
additional to other standardized cyber security principles of
keeping DER equipment available, ensuring the integrity of
the data packages, and keeping data-in-transit confidential
-0.5
through access controls and encryption.
5.1. Power System Risksfor Grid-Support Functions
Based on the power system studies in the previous sections
-1 and knowledge DER control behaviors, the estimated
aggregated control risk from each DER function is presented
in Table 2. The risk presented due to improper programming
ofthe grid-support function was evaluated using the following
criteria:
• Low risk: limited power system impact
• Medium risk: regional voltage effects or localized
loss ofload (brownouts)
• High risk: bulks system power outages
Functions which adjust the DER active power (FRT, VRT,
RR, SS, FW, VW, connect/disconnect, and curtailment) all
could result in blackout situations, if the lost solar generation
occurs quickly and was providing power greater than the
contingency reserves. In those cases, the risk is high. The
functions which adjust reactive power (PF, VV, WP, and set
reactive power) are medium risk to the power system because
these could cause localized high or low voltage issues or trip
off some DER devices (as described in Section 3). However,
one can imagine that if the DER penetrations are high enough,
6
the risk will increase because large portions ofthe grid will be limit the trip settings ranges of adjustment would prevent this
disconnected. type of attack.

5.2. Engineering Controls 5.2.2 RR and SS: Normal and soft start ramp rates
determine the maximum change in active power of the DER
While there are many cyber security guidelines and
during normal operation and start-up. In general, these
recommendations for industrial control systems (ICS) and
functions are unlikely to be configured in a manner to cause
operational technology (OT) equipment—e.g., NIST 800-82
power system disturbances. One potential exception to that
[49]—there are few standards that apply for DER [50-51].
generalization is a case where there is a disruption to the bulk
Therefore, DER vendors are not held responsible to any
system and all inverters are disconnected from the system.
requirements. In rare cases, DER equipment undergoes formal
When the system re-energizes, if the inverters all start
cyber security assessments (e.g., UL 2900-2-2 [52]) prior to
exporting power after the reconnection delay (typically 5
being fielded.
minutes) with a high soft start ramp rate, it could cause a high
We offer an engineered mechanism to reduce the risk
frequency event. To avoid this risk, maximum ramp rates
presented by interoperable DER equipment with grid-support
could be established, as they have been in CA Rule 21, and
functions. As shown previously, power system quality of
enforced in the DER when they are issued a command.
service may be impacted by improperly set grid-support
parameters, so it is recommended to include software or
5.2.3 FW: Frequency-watt functions provide grid stability
hardcoded firmware rules in the DER that reject the grid-
during over-frequency events(or under-frequency events [55]).
support settings if they fall outside of an allowable range.
However, if these functions are programmed with no
These engineering control rules could largely prevent PV
deadband and steep slope, the DER would rapidly change its
systems from causing adverse power system effects through
output with minor over- or under-frequency events. Since
adversary actions or accidental misconfiguration, as shown
frequency is system-wide, there would be a high correlation of
previously. For each of the advanced grid-support functions
power changes between DER, which could lead to bulk
(e.g., volt-var, freq-watt, specified power factor, etc.),
system effects such as a blackout.
parameters that define these functions would be checked
against simple mathematical rules to ensure the function will
5.2.4 VV.• The volt-var pointwise curves are defined by(V, Q)
provide desired behaviors. When parameters are set outside of
points. To prevent the type of attack presented earlier, rules
these limits, the communication module or inverter
could be enforced to ensure the points are assigned to be in Q2
microprocessor can verify the setting and reject the update if
and Q4 in the V-Q plane and rejected otherwise, as shown in
necessary. These types of rules are currently implemented in
Fig. 12.
some PV inverters, but not mandated or standardized.
Defining ranges of values for each of the parameters in the
information models (e.g., California Smart Energy Profile Volt-Var Function Parameter Ranges

(CSIP) [53], DNP3 Application Note [54], SunSpec Modbus 60

Models, IEC 61850) or interconnection standards would

Reactive Power (%nameplate)

40
standardize the acceptable ranges or rules for DER Acceptable D isallowed
parameters.' At that point vendors could write code to enforce VV points VV points
20
the standardized limits for each function. In this section, we
describe theoretical cyber attacks and suggest parameter
constraints for grid-support functions to minimize the risk of 0
adversary manipulation.
-20
Disallowed cceptable
5.2.1 FRT and VRT.• Frequency and voltage ride-though and VV points V points
-40
trip requirements determine when the DER will cease to
energize (often called gate blocking) and disconnect from the
-60
power system. IEEE 1547a, IEEE 1547 full revision, Rule 21, 90 95 100 105 110
and Rule 14 have default values and ranges of adjustability for Grid Voltage(% nominal)
these parameters. There is variability in the power system
voltage and frequency naturally. These variations are typically Fig. 12 Example engineering control rules for VV curve
small and occur as the load and generation mix changes on the parameters.
power system. One risk of this function is that if the voltage or
frequency magnitude were adjusted to commonly occurring
levels (such as nominal frequency or voltage), the FRT and 5.2.4 VW: The volt-watt function is designed to reduce the
VRT function would disconnect the DER. Simple rules to active power during high voltage events. The same risks that
exist for the FW function, exist with the VW function. If the
function is programmed such that nominal voltages generate
1 Note the IEEE 1547 full revision does include required ranges of zero power, this function would produce the same effect as a
adjustability for certain parameters, but this is a minimum range of disconnect command To protect against this type of attack,
adjustment, not a maximum range of adjustment.
7
required deadband sizes and nominal production values could function, except the reactive power is not reduced at low DER
be instigated. power. Depending on the use case, any number of reactive
power levels could be used, so there is no engineering control
5.2.4 PF and WP: As shown above the fixed power factor to minimize the power system risk from this function.
function can be manipulated to increase the local grid voltage.
It is unlikely any engineering controls can be placed on this 5.1. Cyber Security Reference Architecture
function for general operations, however for the use case of
The second option to reduce the power system cyber
reducing voltage as active power increases, the power factor
security risk is through well-designed communication
could be limited to the reactive power absorption quadrant
networks. Network segmentation is a technique to minimize
(Q4).
common-mode vulnerabilities, whereby enclaves are isolated
The watt-power factor risks are the same as those from the
with firewall rules, VPNs, proxies, or other networking
fixed power factor function because a horizontal line could be
technologies so that traffic between them is only allowed by
programmed so that regardless of the DER power production
exception. Extensive research on segmentation for military
the DER would operate at a fixed PF. Since this function has a
microgrids has been completed previously[56]. The downside
relatively limited use case, a region could be blocked off, as
of this approach is the additional network administration and
shown in Fig. 13, where the DER could not produce reactive
communication latency. There are technical challenges to
power above a set active power output level. This reduces the
segment DER networks because networking equipment will
risk presented in Section 3.2 where the DER PF drove the
not necessarily be owned and operated by a single entity. It
PCC voltage even higher. It is unlikely that there would be a
may be possible to enclave the devices if communications are
use case for this function where the DER would source
passed directly to the DER through networks that are owned
reactive power at high DER power.
by the grid operator, e.g., through an advanced metering
infrastructure (AMI) mesh radio or dedicated SCADA
A Overexcited (producing reactive power) network to DER systems. However, in the majority of
PF limit
commercial and residential PV systems, communications will

PF
11.1g., 50% of
nameplate
power
1 DER Power
►
be established through wired or wireless networks via the
public internet, as shown in Fig. 12. In those cases, it is more
difficult to enclave the networks because internet service
providers (ISPs) control the network routing and firewall rules
Underexcited (absorbing reactive power)
cannot be implemented easily without assistance from the
ISPs. Therefore, the use of VPNs, proxies, or some other
PF limit technology would be required to logically isolate the enclaves.
Three options and their pros and cons are presented in Table 3.
Fig. 14 Engineering control to minimize WP overvoltages These include using firewall rules—which will only work
due to misprogramming. when operating over a private network, using hardware
proxies to hide traffic, and using encrypted VPN tunnels.
5.2.4 Fixed Reactive Power.• A fixed reactive power

Home Feeder

P.ad\o
over
PV Contto\
ata and
cAl D

Power
Delivery WAN DER
Management
System
(DERMS)

EV I Inverter

Inverter k...
7
ISP Switch

PV Data and Control over Public Internet

Home Area Network(HAN) Field Area Network(FAN) Local Area NilaN) Local Area Network(LAN)

Fig. 13 Different DER control network architectures in which DER data is exchanged over public internet or AMI radio
networks.
function presents nearly the same risks as a fixed power factor
8

Firewall rules have been used in the past for military
systems [56], but these are not effective when operating with
internet connected devices because the network traffic
channels are not consistent and ISP systems are designed for
speed, not security. This method becomes an option when the
utility or other grid operator is communicating to DER
equipment through a network that they own. In that case, they
may apply specific firewall rules to create enclaves. Blocking
all connections initially and then allowing specific ones is
considered a best practice with firewall rules. When the
network is privately controlled, this approach will allow a
utility to whitelist traffic from a DERIVIS to each respective
HAN (or commercial/utility DER LAN or enclave), and all
other traffic would be dropped. This can be easy to manage if
the number of HANs is small; however, if that number is
extensive and continually changing, it would become a
difficult operational management issue. Constantly changing
firewall rules can also introduce a greater chance for the
dropping of legitimate connections by mistake thereby causing
significant ongoing support concerns. The advantage—almost
necessity—of using a firewall on a private network is to
ensure that only traffic desired from the DERMS to a specific
HAN is allowed to transit the network, and all other traffic
(potentially malicious) is dropped.
Another option would be for the utility to provide each
physical site with a hardware proxy between the ISP
connection and HAN or facility LAN. A hardware proxy is
simply a small device similar to a cable/DSL modem that
would have two primary connection. One connection would be
to receive the general ISP connection, and the other would be
to output to the HAN. Additional connections would be
required if the device were intended to connect directly to an
inverter—in that case, the hardware proxy would route traffic
identified as intended for the inverter before passing it off to
the HAN. This proxy would monitor for traffic specific to the
inverter and pass that traffic directly to it; all other traffic
would be passed unmonitored to the HAN. Controlling
specific traffic between the DERMS and an individual (or
group) HAN would be similar to the firewall option over a
private utility network. There would be potential privacy
concerns if the proxy were compromised by an adversary who
could then manipulate the network traffic for their benefit. A
challenge with the hardware proxy will be to install and

Table 2 Anticipated power system risk from adversary control ofDER aggregations, assessed for each grid-support function.
Grid-support Risk with
Risk Cause Mitigation Plan
function Controls
Enforce IEEE 1547, CA Rule 21, HI Rule
Frequency Ride- Tight FRT trip settings would cause
14 or other standards' ranges of
Through (FRT) High DER power loss with minor frequency Low
adjustability for each point will prevent the
Trip Settings deviations
DER from prematurely tripping.
Enforce IEEE 1547, CA Rule 21, HI Rule
Voltage Ride- Tight VRT trip settings would cause
14 or other standards' ranges of
Through (VRT) High massive power loss from minor voltage Low
adjustability for each point will prevent the
Trip Settings deviations
DER from prematurely tripping.
Normal Ramp High (fast) RR requires faster regulation Set maximum ramp rate to reduce
Low Low
Rate(RR) but minimal power system impact frequency regulation requirements
High (fast) SS may require faster down-
Soft-Start Ramp Set maximum SS to prevent frequency
Low regulation but minimal power system Low
Rate(SS) overshoot during black start
impact
Improperly programmed FW curves Requiring parameter and deadband
Frequency-Watt
High would cause DER power loss, possibly Low constraints will prevent DER power
(FW)
resulting in blackout reductions.
Improperly programmed VW curves Requiring parameter and deadband
Voltage-Watt
High would cause DER power loss, possibly Low constraints will prevent DER power
(VW)
resulting in a blackout reductions.
Connect or None. Requiring a randomization time
Aggregate DER power loss could cause
Disconnect High High window could prevent step changes in
blackout
(INV1) production.
Limit Max Real Aggregate DER power loss could cause None. Only limits on settling time or ramp
High High
Power (INV2) blackout rate would prevent under-generation.
Extreme voltage conditions could be None. Applying ramp rates would slow the
Power Factor
Medium generated on feeders, leading to Medium control action so other voltage regulation
(INV3)
localized outages equipment could react.
Extreme voltage conditions could be Requiring the reactive power sign to
Volt-Var mode
Medium generated on feeders, leading to Low provide negative feedback to the voltage
(VV)
localized outages deviation will prevent voltage excursions.
Extreme voltage conditions could be
Watt-Power Constraining the W-PF curve will prevent
Medium generated on feeders, leading to Low
Factor(WP) voltage excursions.
localized outages
Extreme voltage conditions could be None. Applying ramp rates would slow the
Fixed Reactive
Medium generated on feeders, leading to Medium control action so other voltage regulation
Power
localized outages equipment could react.
support a physical hardware device at each site; this could
present additional support and maintenance cost to the utility.
It may be possible to provide each facility with an ISP-
friendly switch/modem in place of what the ISP has provided
(most markets have few ISPs to pick from, and so it might be
easy to provide an ISP-friendly hardware device). The
hardware proxy would also allow for priority traffic specific to
the inverters, i.e., priority over regular HAN traffic. Finally,
the hardware proxy would need to update the utility through a
dynamic-DNS-like service so that the utility was always aware
of the (potentially changing) publicly routable IP address of
the home or facility.
Alternatively, the utility could maintain an ongoing virtual
private network (VPN) connection directly to the inverters
through the existing ISP network and corresponding
switch/modem. A VPN is an encrypted tunnel for
communication between two systems over a network. This
would provide the utility with a direct, secure connection
between the DERMS and each HAN over a public network
based on well-established open standards. Communication
encryption prevents eavesdropping or manipulation by an
outside party. Traffic specific to each HAN could be
communicated through the VPN tunnel with the assurance that
it remains secured from any malicious actors along the
communication path (this would be similar to traffic sent over
a private network). Additional support and maintenance
requirements would be necessary from the utility similar to the
hardware proxy. Additional support from a HANs ISP would
not necessarily be required as most ISPs support VPN tunnels
for their customers without any additional service changes.
However, the ISP is the one providing the network on which
the VPN connections traverse and could impact the quality of
service and thereby impact the reliability of any DERMS
interactions with the inverters. To initiate a new connection,
each inverter would initiate the VPN to a known utility IP
address providing a "plug-and-play" deployment. An
alternative to an inverter initiated connection would be to
deploy a facility gateway where the VPN connection could be
originated to each respective HAN.
Once the method of generating the enclaves is selected, the
specific rules for cleaving the devices must be decided. There
must be a balance: too many enclaves mean higher likelihood
of mistakes in the firewall, VPN, proxies, or router
configurations, slower communication times, and more
difficulty deploying more DER; but at the same time, there
must be a certain number of enclaves to prevent control of a
critical magnitude of generation. Here we offer two basic
approaches:
1. A segmented network with DER placed in one of three
enclaves at random or convenience
2. A critically segmented network where no more than 20%
ofthe total capacity can be in a single enclave
Examples ofthese segmentation strategies on a collection of
DER is shown in Figs. 13 and 14. These approaches are
similar to those explored in a Virtual Power Plant project at
Sandia National Laboratories [57]. The placement ofDER in a
specific enclave could be done based on geography, power
system topology, nameplate capacity, or other metadata. More
sophisticated methods of determining the number of enclaves
and which DER should be placed in each should be considered
an area of future research. Co-simulations of power systems
and DER control networks should also be conducted to
investigate the ease and effectiveness of the enclaving
techniques, and the degradation communication network
performance—if any—when applying these techniques.

Table 3 Methods of enclaving DER networks.

Enclave mechanism
Firewall rules (whitelist DER-to-headend - Private network
connections)for grid operator or
aggregator-owned networks (e.g., AIVII
networks).
Use hardware proxy, which monitors for
DER/utility traffic and exchanges it.
Virtual private networks(VPNs) between
DER and grid operator
Pros
- Extends grid operator or aggregator
local area network(LAN)to the field
area network(FAN)or home area
network(HAN)
- Works well for aggregators
- Traffic send via ISPs using RESTful
HTTP or TLS connections
- Direct connections between DER and
utility
- Reduced latency
- Grid operator controls and easily
changes segmentation
Cons
- More costly
- More management
- Complex
- Potentially less data bandwidth or speed
- RF interference, etc. with using
- Relies on 3rd party(ISP)to manage network
(could have more latency if QoS is an issue)
- Need maintenance contracts
- Privacy concerns(for unencrypted traffic)
- Less flexibility
- VPN management and maintenance difficult
- Could burden facility/home bandwidth

10
 networks. This eliminates the ability of an adversary to
execute a common attack on all the devices if they have
defeated perimeter security mechanisms and gained access to
the system. These solutions taken as part of a larger defense-
Commercial
Residential Batterie in-depth approach to DER cyber security will increase the
PV

Domain A
difficulty of executing malicious cyber attacks on power
systems.
Domain B DER
Enclave B 7. Acknowledgments
DER
Enclave A
Sandia National Laboratories is a multimission laboratory
managed and operated by National Technology and
Domain Engineering Solutions of Sandia, LLC., a wholly owned
Domain C subsidiary of Honeywell International, Inc., for the U.S.
GridOp
SCAM
Domain 'vane
Server
Department of Energy's National Nuclear Security
HMI Engineering
Administration under contract DE-NA-0003525. This work
Workstation

Grid Operator DER was funded by the U.S. Department of Energy Solar Energy
Enclave Enclave C Technologies Office, SunShot Initiative, under Agreement No.
HMI Enclave
30690.
Fig. 15 Segmented network with DER placed in random This paper describes objective technical results and analysis.
enclaves. Any subjective views or opinions that might be expressed in
the paper do not necessarily represent the views of the U.S.
Department ofEnergy or the United States Government.
DER
Enclave 3
8. References
[1] SEIA, U.S. Solar Market Has Record-Breaking Year,
Total Market Poised to Triple in Next Five Years, Press
DER
Release, 8 Mar. 2017.
Enclave 2 [2] IEEE Standard 1547-2003, Standard for Interconnecting
Distributed Resources with Electric Power Systems,
DER 2003.
Enclave 4
[3] A. Hoke, A. Nelson, S. Chakraborty, J. Chebahtah, T.
Wang, M. McCarty, Inverter Ground Fault Overvoltage
DER
Testing, 2015.
Enclave 1 11111111
[4] R. Seguin, J. Woyak,D. Costyk, J. Hambrick, B.
Historian SCADA
Mather, High-Penetration PV Integration Handbook for
Domain 75erver Distribution Engineers, NREL Technical Report,
HMI Engineering
Workstation
NREL/TP-5D00-63114, Jan 2016.
Grid Operator DER [5] A. Hoke, et al., The Frequency-Watt Function:
Enclave DER
Enclave 5 Simulation and Testing for the Hawaiian Electric
HMI Enclave Companies, July 2017.
Enclave 6
[6] Pacific Gas and Electric Co., Electric Rule No. 21,
Fig. 16 Segmented critical network with no more than 20%
Generating Facility Interconnections, Filed with the
ofthe generation placed in one enclave.
CPUC,Jan. 20,2015.
6. Conclusions [7] Hawaiian Electric Company,"Inc. Rule No. 14, Service
Connectionand Facilities on Customers Premises," D&O
In this work, risks presented from communication-enabled No. 33258 filed Oct. 12, 2015, effective Oct 21,2015.
distribution and transmission DER control functions were [8] R. Briindlinger,"Advanced smart inverter and DER
evaluated. The time-domain simulation studies showed functions requirements in latest European grid codes and
improper programming or malicious adjustment of grid- future trends," Solar Canada, 8 Dec. 2015.
support functions would lead to (a) voltage excursions above [9] D. Rosewater, J. Johnson, M. Verga, R. Lazzari, C.
grid code standards which could lead to equipment damage, Messner, R. Bründlinger, K. Johannes, J. Hashimoto, K.
and (b) instabilities in the bulk power system that would lead Otani, International development of energy storage
to load shedding or blackout. Two methods for reducing the interoperability test protocols for renewable energy
impact of those attacks were presented. First, engineered integration, EU PVSEC,Hamburg, Germany, 14-18
controls in the DER firmware or software could be used to Sept, 2015.
prevent DER from operating in unsafe modes. Secondly, the [10] J. Johnson, R. Bffindlinger, C. Urrego, R. Alonso,
risk presented by controlling large aggregations of DER could "Collaborative Development of Automated Advanced
be mitigated by enclaving the devices into logically isolated Interoperability Certification Test Protocols for PV
11
 Smart Grid Integration," EU PVSEC,Amsterdam,
Netherlands, 22-26 Sept, 2014.
[11] California Energy Commission & California Public
Utilities Commission, Recommendations for Utility
Communications with Distributed Energy Resources
(DER)Systems with Smart Inverters, Smart Inverter
Working Group,Phase 2 Recommendations,28 Feb
2015.
[12] J.C. Boemer, A. Huque,B. Seal, T. Key,D. Brooks, C.
VartanianStatus of Revision ofIEEE Std 1547 and
1547.1„ 6th Solar Integration Workshop, Vienna, 14-17
Nov. 2016.
[13] B. Reaugh, R. Beckensten, D. Gross, D. Brearley,
"SCADA Systems for Large-Scale PV Plants" SolarPro,
Issue 10.3, May/Jun 2017.
[14] M. Mills-Price, K. Hao, The Importance of Coordinated
Control Systems in Solar Generation Plants, 1st Annual
PAC World Americas Conference, Raleigh, NC,23-25
Sept, 2014.
[15] E. Syme,Power Industry Communication Protocol
Features and Benefits, ProSoft Technology, Inc.
Accessed 10-19-2017, URL:
https://scadahacker.com/library/Documents/ICS_Protoco
ls/ProSoft%20-
%20Power%20Industry%20Comm%20Protocol%20Feat
ures%20and%20Benefits.pdf
[16] S. Mohagheghi, J. Stoupis, Z. Wang, Communication
Protocols and Networks for Power Systems-Current
Status and Future Trends, ABB US Corporate Research
Center, Raleigh, NC,3 Mar 2011.
[17] SunSpec Alliance, SunSpec Specifications &
Information Models, accessed 10-19-2017, URL:
https://sunspec.org/about-sunspec-specifications/
[18] IEEE Std 2030.5-2013, IEEE Adoption of Smart Energy
Profile 2.0 Application Protocol Standard, Nov. 11 2013.
[19] IEEE Std 1815-2012,IEEE Standard for Electric Power
Systems Communications-Distributed Network Protocol
(DNP3)," Oct. 10 2012
[20] OpenADR 2.0 Profile Specification B Profile, Revision
1.1. Document 20120912-1, 17 Nov 2015.
[21] B. Seal, et al,"Final Report for CSI RD&D Solicitation
#4, Standard Communication Interface and Certification
Test Program for Smart Inverters," June 2016.
[22] J. Henry, et al., Cyber Security Requirements and
Recommendations for CSI RD&D Solicitation #4
Distributed Energy Resource Communications, Oct.
2015.
[23] B. Seal, B. Ealey, Common Functions for Smart
Inverters, Version 4,EPRI Report 3002008217, Dec
2016.
[24] J. Johnson S. Gonzalez, M.E. Ralph, A. Ellis, and R.
Broderick,"Test Protocols for Advanced Inverter
Interoperability Functions — Main Document," Sandia
Technical Report SAND2013- 9880, Nov. 2013.
[25] J. Johnson S. Gonzalez, M.E. Ralph, A. Ellis, and R.
Broderick,"Test Protocols for Advanced Inverter
Interoperability Functions — Appendices," Sandia
Technical Report SAND2013-9875,Nov. 2013.
[26] IEC Technical Report IEC 61850-90-7(2013)
Communication networks and systems for power utility
automation—part 90-7: object models for power
converters in distributed energy resources(DER)
Systems. Edition 1.0.
[27] IEC 61850-7-420(2009)Communication networks and
systems for power utility automation—part 7-420: basic
communication structure distributed energy resources
logical nodes
[28] Underwriters Laboratories 1741, Ed. 2 with Supplement
A,. Inverters, converters, controllers and interconnection
system equipment for use with distributed energy
resources, 2016.
[29] M. Verga, R. Lazzari, J. Johnson, D. Rosewater, C.
Messner, J. Hashimoto, SIRFN Draft Test Protocols for
Advanced Battery Energy Storage System
Interoperability Functions,ISGAN Annex #5 Discussion
Paper, 2016.
[30] M. Morjaria, D. Anichkov,"Grid-Friendly' Utility-Scale
PV Plants," First Solar white paper, 13 August 2013.
[31] J. W. Smith, W.Sunderman, R. Dugan and B. Seal,
"Smart inverter volt/var control functions for high
penetration ofPV on distribution systems," IEEE/PES
Power Systems Conference and Exposition, Phoenix,
AZ,2011, pp. 1-6, 2011.
[32] F. Ding, A. Nagarajan, S. Chakraborty, M.Baggu, A.
Nguyen, S. Walinga, M. McCarty, F. Bell, Photovoltaic
Impact Assessment of Smart Inverter Volt-VAR Control
on Distribution System Conservation Voltage Reduction
and Power Quality, NREL Report, NREL/TP-5D00-
67296, Dec 2016.
[33] J. E. Quiroz, M. J. Reno, O. Lavrova and R. H. Byrne,
"Communication requirements for hierarchical control of
volt-VAr function for steady-state voltage," IEEE Power
& Energy Society Innovative Smart Grid Technologies
Conference(ISGT), Washington, DC,pp. 1-5, 2017.
[34] M.Reno, J. Quiroz, O. Lavrova, and R. Byrne,
"Evaluation of Communication Requirements for
Voltage Regulation Control with Advanced Inverters,"
IEEE North American Power Symposium, Denver, CO,
September 2016.
[35] Pacific Gas and Electric Compnay, Voltage Toleratnce
Boundary, January 1999.
[36] IEEE Std 1668,IEEE Recommended Practice for
Voltage Sag and Short Interruption Ride-Through
Testing for End-Use Electrical Equipment Rated Less
than 1000 V,2017
[37] J. Berdner,"Advanced Inverter Status, CA & HI,"
Integrating PV in Distribution Grids: Solutions and
Technolgies Workshop, Golden CO,Oct 2015.
[38] A. Huque,"DER Interconnection Requirements: Need
for Harmonization," Integrating PV in Distribution
Grids: Solutions and Technolgies Workshop, Golden
CO,23 Oct 2015.
[39] J. Neely, J. Johnson, J. Delhotal, S. Gonzalez, M.Lave,
Evaluation ofPV Frequency-Watt Function for Fast
Frequency Reserves,IEEE Applied Power Electronics
12
 Conference(APEC),Long Beach, CA,March 20-24, and Fast Contingency Reserves," IEEE Journal of
2016. Photovoltaics, vol. 6, no. 6, pp. 1611-1618, Nov. 2016.
[40] A. Hoke, A. Nelson, J. Tan, V. Gevorgian, C. Antonio, [56] J. Stamp,"Design Tradeoffs and Cyber Security for
K. Fong, M.Elkhatib, J. Johnson, R. Mahmud, J. Neely, Microgrids," Energy Exchange: Federal Sustainability
D. Arakawa, The Frequency-Watt Function: Simulation for the Next Decade, Session on Planning Large and
and Testing for the Hawaiian Electric Companies, Grid Small Scale Microgrids and Smart Grids, 10 Aug 2016.
Modernization Laboratory Consortium(GMLC) [57] J. Johnson, et al.,"Design and Evaluation of a Secure
Technical Report, July 2017. Virtual Power Plant," Sandia Technical Report,
[41] P. Kundur,Power System Stability and Control, SAND2017-10177, September 2017.
McGraw-Hill, 1994.
[42] F. Wilches-Bernal, R. Concepcion and R.H. Byrne,
"Impact of Communication Latencies and Availability
on Droop-Implemented Primary Frequency Regulation"
49th North American Power Symposium, Morgantown,
WV,September 2017.
[43] R. Concepcion, F. Wilches-Bernal, R. Byrne,"Effects of
Communication Latency and Availability on Synthetic
Inertia," IEEE ISGT 2017, Arlington, VA,April 23-26,
2017.
[44] F. Wilches-Bernal, R. Concepcion, J. Neely, R. Byrne,
and A. Ellis,"Communication Enabled Fast Acting
Imbalance Reserve (CE-FAIR)," IEEE Transactions on
Power Systems.
[45] NERC,Reliability Standard PRC-006-NPCC-1
"Automatic Underfrequency Load Shedding,"9 Feb
2012.
[46] ISO-NE, OP-13 Standards for Voltage Reduction and
Load Shedding Capability, Appendix B,ISO New
England Operating Procedure, Revision 3.1, 8 Nov 2016.
[47] K. Fong,"A view from Hawaii," Integrating PV in
Distribution Grids: Solutions and Technolgies
Workshop, Golden CO,Oct 2015.
[48] GE Energy Consulting,"Oahu Distributed PV Grid
Stability Study, Part 1: System Frequency Response to
Generator Contingency Events," Honolulu, HI, March,
2016.
[49] National Institute of Standards and Technology Special
Publication 800-82, Guide to Industrial Control Systems
(ICS) Security, Revision 2, Rev. 2, May 2015.
[50] J. Johnson,"Roadmap for Photovoltaic Cyber Security,"
Sandia Technical Report, SAND2017-13262,Dec 2017.
[51] C. Lai, N. Jacobs, S. Hossain-McKenzie, C. Carter, P.
Cordeiro, I. Onunkwo, J. Johnson,"Cyber Security
Primer for DER Vendors, Aggregators, and Grid
Operators," Sandia Technical Report, SAND2017-
13113, Dec 2017.
[52] UL 2900-2-2, Standard for Software Cybersecurity for
Network-Connectable Products, Part 2-2: Particular
Requirements for Industrial Control Systems,2017.
[53] California Smart Inverter Implementation Working
Group,"IEEE 2030.5 Common California IOU Rule 21
Implementation Guide for Smart Inverters," Common
Smart Inverter Profile V1.0, Aug. 31,2016.
[54] DNP Application Note AN2013-001,"DNP3 Profile for
Advanced Photovoltaic Generation and Storage," 2013.
[55] J. Johnson, J. Neely, J. Delhotal, M. Lave,"Photovoltaic
Frequency-Watt Curve Design for Frequency Regulation

13