TLDR: A button to switch off our entire electricity grid? We are creating one with unsecure high-power connected devices. Should we worry about it? The more high power devices (home appliances) are connected to the grid, the more we should worry about our grid stability and the availability of power. We should have cyber security in place before millions of those devices will be added to the grid. The regulation should be done on (at least) the European level.
What is the Internet of Energy
The Internet of Energy (IoE) is a term for all IT connected producers and consumers (hardware) when it comes to electricity. Usually IoE allows a more efficient usage of energy (and aligns demand and supply ). You can think of both locally produced and stored energy, as well as devices in homes talking to each other to manage the flow of energy.
What are typical IoE devices
Typical devices in the Internet of Energy are devices that can consume a lot of power and are natively connected, such as electric cars, heat pumps, solar inverters etc.
Lately, also home appliances like refrigerators and ovens/stoves are becoming smart and connected. This means those devices can be controlled, and thus considered part of the IoE.
What is the challenge?
A refrigerator is only using a small amount of power peak (0.1 kW) , while an oven or stove can easily use up to 4 kW of peak power. An electric car charging on public charging stations or at home is usually somewhere between 3.7 and 11 kW.
Solar (PV) panels on homes typically can produce from 1 to 10kW, and stationary batteries can go from 2 kW up to 11 kW or more.
To challenge climate change, we will be adding more and more sustainable production to the grid, so more of these connected inverters (and possibly also batteries) will be connected. Simultaneously, we’re increasingly switching consumption from fossil fuels for heating to electricity or from internal combustion engines to electric ones.
The switch to renewables and all-electric, it’s a good thing, right? What’s your point?
Well, it surely is a good thing to switch from fossil to renewable, no question about that. However, the way we’re doing this now when it comes to connectivity feels like we haven’t learned from previous mistakes and challenges when switching to being more connected.
Just because it’s an area with a lot of innovation (when it comes to physics, especially on the battery parts and efficient heat pumps, solar panels etc), we are forgetting the need for good cyber security. The focus is entirely on functionality, rather than including and cyber security by design.
Everything is connected, just because it “needs to be connected”. But the security of those devices is lacking, or not there at all.
In 2017 a robot vacuum cleaner got hacked, or in 2020 an IP camera got hacked and “started talking” to the owner. This might look like individual cases, but those cases are summing up. I think it’s an industry-wide problem, cyber security adds cost to a product and the problem is usually only marginal (from a local perspective, so only for the owner).
The Colonial Pipeline hack in the US showed once again how reliant we are on technology, and how it can impact our daily lives.
In May there was a hack of the Nuclear Safety Administration.
The impact changes when it’s not just about an IP camera, although the privacy infringement can feel pretty bad for the individual - but about higher power appliances. Everybody would say: Yes, power plants need to be secure! Electricity is important!
Aggregation of high power home appliances, that’s when it becomes scary
But because the aggregated sum of higher power appliances feels less threatening, we don’t seem to care. It feels further away from us, or maybe it’s just hard to grasp.
Aggregation is also done when hackers perform a Distributed Denial-of-Service (DDoS) attack. The ‘power’ of one device isn’t enough, but the combined power of smaller devices is enough to bring down entire networks.
When we talk about power plants we all agree that they need to be cyber secure, because they account for a lot of power. But the aggregated sum of high power home appliances can easily exceed a few power plants. That’s where the risk is. Protecting one asset, which you have full control over, is easier than distributed assets that are bought and installed by home owners.
Let’s take 100.000 (one hundred thousand) charge stations. That might sound like a lot but in the Netherlands we already have more than 2.5 times that (June 2021). If those 100.000 stations charge with an average power of 5kW, it accounts for 500MW (500.000kW). Most newer cars can actually charge at 11kW (3 phases, 16 amps per phase at 230 volts), so the issue will only get worse with time.
Our continental European grid is interconnected (also frequency wise), this means that it doesn’t matter where the charge station in Europe is, as long as you can control it you can have an effect on the frequency of the entire continent. When it’s on a European level, 100.000 chargers doesn’t sound that much anymore when it’s 2030.
Imagine controlling 500.000 chargers that charge with an average speed of 10kW, that’s a whopping 5000 megawatts! That’s an awful lot of power, it’s tremendous. A nuclear power plant (in the US) has an average of 1000MW (1GW) output.
Hacking a few charge point operators that operate 500.000 chargers, will give you the same amount of power that you can control as hacking 5 nuclear power plants. Do the math when you include home batteries, heat pumps, PV inverters, and smart ovens…
Impact on the grid
Is it really that big of a deal? Yes. Just yes. In short, the impact can be both on the European level or locally.
European level (transmission grid)
For Continental Europe the EU states in the establishing a guideline on electricity transmission system operation:
The reserve capacity for FCR required for the synchronous area shall cover at least the reference incident and, for the CE and Nordic synchronous areas, the results of the probabilistic dimensioning approach for FCR carried out pursuant to point (c);
(b) the size of the reference incident shall be determined in accordance with the following conditions:
(i) for the CE synchronous area, the reference incident shall be 3 000 MW in positive direction and 3 000 MW in negative direction;
This means for continental Europe a disruptive 3 gigawatt (GW) change, should be able to be handled with. However, if you have control over 300.000 chargers, you’re already having that amount of power at your disposal. Any malicious person, hacker or state actor could, using those chargers, bring down (or heavily disrupt) the grid. By switching those devices on and off, this will create an oscillating effect on the grid (and frequency), and by that disrupt demand/response on high level. This could potentially bring down parts of the European grid.
However, cascading effects could then lead to a catastrophic blackout all over Europe. One of the possible issues was explained in the Texas blackout. Although the US grid runs at 60 Hz and our European grid at 50 Hz, the effects are the same.
“If there’s not enough power on the grid to meet demand, ERCOT officials said, the frequency of the grid drops below that 60 hertz level. That can cause physical damage to equipment that moves power around the state. And it can force more power plants to shut down — possibly leading to a complete failure of the grid.”
In Europe a system split happened at the 8th of January 2021, due to outages of several transmission network elements in a very short time. The initial event was the tripping of a 400 kV busbar coupler in the substation Ernestinovo (Croatia) by overcurrent protection, according to Entsoe. This resulted in a decoupling of the two busbars in the Ernestinovo substation, which in turn separated North-West and south-east electric power flows in this substation.
If the frequency would’ve been lower than 49.7, this would probably have created a cascading effect with unknown outcome. And as far as my knowledge goes, it’s also unclear how a restart from a total blackout would work and how much time it would take. It could lead to days without power.
Locally (distribution grid)
When more renewables will be added to the grid, and more heat pumps, electric cars and other high power demanding appliances, the need for capacity management will increase, or at some point it will become a must. The cables can only handle so much (electric current), if it exceeds that amount it’ll heat up and accelerate wear.
The point is, when capacity management is a must to keep the (local) grid from overloading, this also means that if somebody can change the behavior of multiple devices in that part of the grid, it could potentially harm that part of the grid (increased wear, or even instant damage/outage).
What should we do to mitigate those risks?
What we should do is to have cyber security requirements, and legislation to force the use of those requirements in place, to create a more secure connected internet of energy. The challenge here is not technical, technically we can already make those devices (and their backoffices) more secure by design, by securing the communication, system hardening and making them more resilient. It’s not like it’s rocket science, it has been done multiple times before, it’s just that nobody forces manufacturers to release a secure product when it comes to high-power grid-connected devices, it seems.
We need to have legislation that enforces devices (and their backoffices/servers) to be secure and follow a cyber security framework, before they’re allowed on the market. Just like in the smart phone market devices now need to receive updates for at least a few years, home appliances should receive cyber security updates for at least 10+ years. Yearly audits of these devices, servers, backoffices and software development departments should assure they are compliant and keep being compliant.
I’m no expert in legislation, so I don’t know how this could be done but I’m sure there are enough people that know how that works. I just know that it (a cyber security baseline) should be enforced as soon as possible, otherwise we’ll have millions of those unsecure devices in place. The development will, once again, have overtaken legislation.
One way could be via (an EU-wide) certification. If a device, and the full chain with the backoffice, is considered secure and meets the requirements, such a device could get a certificate. This would ease the choice for customers to choose from a list of suppliers/manufacturers that are considered secure.
When we do it right, we won’t notice anything (and might make it feel like all the work wasn’t necessary in the first place), but don’t do it right and we’ll feel the consequences.
It’s only a matter of time before things go south. It’s not about if it will happen, but when. The numbers are increasing, and so is the impact.