About the Cybersecurity Value-at-Risk Framework

As increasing amounts of DERs are introduced to the bulk power system, the electric grid is transforming. Compared to a grid powered by a small number of large, centralized generation facilities, the modern grid is becoming more reliant on smaller, decentralized generation. It requires careful coordination of such resources to maintain stability. As a result, utilities and customers are seeing progressively complex and interconnected communications networks—a modern grid that is evolving to be more data- and communications-driven.

These changes naturally increase the cyberattack surface. Further complications arise from the fact that a significant portion of DERs will be owned and controlled by consumers and third parties who may not be aware of the need for rigorous cybersecurity.

While smart meters and advanced metering infrastructure have already expanded the utility's attack surface, DER deployment presents additional risks due to:

• The distributed nature of DERs
• Control and communication requirements for DERs
• The large number of devices and access points that operate outside a utility's administrative domain.

NREL developed the framework to expand upon existing cybersecurity frameworks, including the U.S. Department of Energy's Cybersecurity Capability Maturity Model (C2M2), the National Institute of Standards Technology's' cybersecurity framework, and other standards established by the U.S. Department of Homeland Security, the Department of Defense, and the International Electrotechnical Commission.

With no existing cybersecurity framework that addresses this need, the CVF tool allows federal agencies to improve the protection of their energy networks—which have direct impact on information and operational technology networks—against the rising potential of cyberattacks.