New Cybersecurity Tool Simplifies Site Evaluations | News

As federal sites invest in distributed energy resources (DERs) like solar panels and
battery backups, investments in cybersecurity must also be considered. More energy
resources create more complexity to manage—introducing the potential of new cyber
vulnerabilities and added costs down the road.

Luckily, there is a new tool available to help manage this risk: the National Renewable
Energy Laboratory’s (NREL’s) DER Risk Manager (DER-RM), a downloadable application that implements and automates a widely trusted framework
for information security from the National Institute of Standards and Technology (NIST).
The DER-RM, developed with support from the U.S. Department of Energy Federal Energy
Management Program (FEMP), offers a user-friendly solution for sites that must comply
with NIST’s Risk Management Framework.

“After two years of the team’s hard work and extensive research on the NIST 800-37
Risk Management Framework, we’re very excited to launch the beta version of this tool,”
said Tami Reynolds, NREL cybersecurity project lead. “The seven-step NIST framework
is a comprehensive process that helps organizations manage information security and
privacy risk, but it wasn’t designed specifically for operational technologies like
distributed energy. The DER-RM offers this service for organizations seeking to adopt
more renewable and distributed energy systems.”

Compliance often requires time-consuming, cyclical evaluations, which the DER-RM streamlines.
In addition to NIST compliance, the design of the DER-RM was informed by NREL’s previously
developed DER Cybersecurity Framework (DER-CF), a cyber evaluation tool that casts a wider net, evaluating multiple domains of a
site’s security such as its cyber governance, cyber-physical technical management,
and physical security. Both applications guide users through tailored questions to
build a profile of their energy system, which is then assessed, scored, and improved
with unique recommendations.

“The DER-RM provides a streamlined process for completing and generating associated
reports to achieve compliance, whereas the DER-CF is a flexible, hybrid application
that enables implementation of fundamental cybersecurity practices,” said Anuj Sanghvi,
cybersecurity researcher and technical lead for the project. “For organizations beginning
to assess the cybersecurity posture for their distributed generation assets, the DER-CF
application plays a vital role for onboarding DER systems to federal enterprises.”

In addition to the launch of the DER-RM, the NREL team recently released a series
of training modules on the more fundamental evaluation tool, DER-CF, through FEMP’s accredited training
portal.

Easy Compliance for Controls and Communication

For risk management, the DER-RM is built around the controls-oriented NIST framework,
which is mandatory for federal agencies and many other organizations. The tool specifically
provides guidance to help organizations attain an Authorization to Operate (ATO),
which allows facilities to document and weigh the risks that the system introduces
to an organization’s personnel, operations, and other organizations. With an ATO approval,
authorizing officials accept the risks involved—and the plan to mitigate them—from
integrating the system onto federal networks. 

Users can input their system information, which the DER-RM assesses by applying common
cybersecurity attacks and testing the system’s defense. Users can also upload their
control data files directly, which the DER-RM checks for NIST compliance and reports
where risk management steps are needed. Because the NIST framework requires ongoing
evaluations, the DER-RM is a significant time-saver for maintaining compliance.

“The DER-RM utilizes as much dynamic components as possible to provide a truly tailored
experience to the user,” said Ryan Cryar, lead developer of the DER-RM and DER-CF.
“Utilizing the NIST Open Security Controls Assessment Language, or OSCAL, we have
a single schema that allows us to develop around a centralized data model for easier
importing and exporting from different tools for a more custom user experience. No
two assessments are the same.”

Both the DER-RM and DER-CF are available at no cost, with an accessible user interface
and the option to anonymize users. For organizations that require cybersecurity compliance,
these tools offer a quick, user-friendly approach to align with several cybersecurity
frameworks and best practices. For organizations that are simply interested in improving
the security of their facilities and DERs, the DER-RM and DER-CF offer accessible
solutions with a unique focus on DERs, allowing organizations to continue to evolve
their energy systems and keep ahead of the cyber threat.

To learn more about the DER-RM and how to access it, please contact Ryan Cryar.

Comments are closed.