D.C. distributed energy proposal draws concerns of increased cybersecurity risks

Published on June 18, 2018 by Jaclyn Brandt

© Shutterstock

The District of Columbia is considering creating a Distributed Energy Resources (DER) Authority within the city, making the district the first jurisdiction within the United States with a similar plan for its energy future.

The goal, according to the two city councilmembers who introduced the bill, Mary Cheh and Charles Allen, is for customers to have more insight into their energy use, as well as giving the local utility, Pepco, the chance to better estimate energy needs.

But in the city that holds many of the nation’s confidential secrets, is there a cybersecurity concern that comes with integrating more distributed energy resources?

According to Eddie Habibi, CEO at PAS, a cybersecurity company offering services to the energy and power industries, the risk of cyber attacks is very real. An attack could cause a loss of power in a large area of the country for an extended period of time, and can be almost as bad as any natural disaster.

“Every information system, as well as every control system, is at risk. Whether they are on the internet or not, they are at risk,” he said. “The risks vary from nation states, to ransom hackers, to others, who would be looking for information, for example, credit card numbers, confidential information that we don’t want to expose, to bringing down a grid, or bringing down a refinery, to cause damage, to cause harm.”

The D.C. proposal would allow third-party vendors to create numerous points of energy distribution, which could potentially create more opportunities for cyberattackers to threaten the electric grid.

“We have multiple grids throughout the nation. But if you go to a smaller set of networks, you have distributed the risks. If one goes down, you won’t have an entire city or an entire state go down,” Habibi said. “That’s the benefit. The consequences are less,” he added, but the downside is that “attackers will have more systems to come in through.”

The proposed new authority would collect real-time energy use data and would also require a non-wires alternative analysis be conducted whenever Pepco identifies an infrastructure project expected to cost $25 million or more to see if there are any renewable options that could be used, such as solar, wind or battery storage.

Pepco has stringent security processes in place to protect sensitive customer data and has strict rules for its transmission, but is concerned that providing customer data in the way the bill proposes could lead to misuse of the data and increased cybersecurity risks.

“The legislation would allow access to sensitive customer information, including customer bills, account numbers, usage, and billing data and would provide oversight of critical infrastructure projects that Pepco would be required to implement as part of the effort to provide continued safe and reliable service for customers,” said Tasha Jamerson, senior communications specialist with Pepco, a unit of Exelon Corp.

Councilmember Allen said the proposal would help the District understand how much energy is being used and will help the city purchase energy much more efficiently.

“Right now District residents annually send $1.8 billion outside of the District to purchase fossil fuels,” Allen said. By having real transparency into our energy needs, we will better understand how to meet those energy needs in a sustainable way. And that makes it possible to create a marketplace for District businesses to add solar, wind, and other renewable energy to help power our grid.”

Pepco said that passing such a bill would be a waste of taxpayer money and would involve work that is already being accomplished within the district.

“The distribution system in the District of Columbia is complex and critical to the 296,000 customers including critical services, such as the federal government. Implementing this arrangement would be costly and involve a great deal of work that would duplicate activities that are already being performed by Pepco and the Public Service Commission of the District of Columbia,” Jamerson said.

Pepco said it already provides data and innovative tools to the public that serve to improve the energy market and provide a more reliable, efficient, affordable and sustainable grid.

“However, Pepco cannot mitigate risks on the side of the District Authority which, under the proposed legislation, would pool customer information and make the information available to a wide range of people and groups.”

The utility has been managing security risks for 120 years in the District of Columbia, and said it has learned the best ways to protect customers’ data and information. Pepco is concerned a bill could be passed with no concern for what it takes to protect that data.

“The DER Authority has no experience planning or operating the District of Columbia distribution system,” Jamerson said. “Because the DER Authority is inserting its judgment into Pepco’s planning process, it could create system operations, reliability, and security risks.”