Distributed Energy Resources Cybersecurity Outlook:Vulnerabilities, Attacks, Impacts, and Mitigations 

In this paper, we focus on cyberattacks targeting DER assets on both the device and communication levels. We discuss cyberattacks targeting the DER devices themselves and their
autonomous capabilities (e.g., defensive islanding) and ancillary services (e.g., voltage/frequency regulation, active/reactive power compensation, etc.). DER security should be viewed holistically and is contingent upon the security posture of the inherent DER device architectures (e.g., vendor-specific), the utilized communication protocols, and control schemes (e.g., user, aggregator, or utility -defined). Comprehensive security solutions should encompass an adversary viewpoint capable of not only mitigating previous incidents (as most of the
literature does), but proactively defending against “what could happen” scenarios. To bridge this overlooked research gap, we first discuss the motives and resources of adversaries and the
crucial components of DER systems before we focus on DER attacks at the i) communication protocol and ii) device levels. Last, DER protocol- and device- level vulnerabilities, attacks,
impacts, and mitigation strategies are presented.

The roadmap of this work is as follows. Section II presents the adversary and attack models. Sections III and IV outline the protocol- and device-level vulnerabilities, the corresponding cyberattacks, and potential impacts and mitigations. Section V concludes the paper and provides a brief discussion of DER cybersecurity metrics and future challenges.

II. THREAT MODELING
This section identifies high-value targets in DER-integrated systems and attack vectors with their corresponding cyberthreats. Assumptions about adversary capabilities and knowledge, and attack specifics following the threat model methodology are introduced in [35]. According to MITRE’s ATT&CK for industrial control systems (ICS) framework the distinction
between the adversary and attack models is crucial. The former allows us to evaluate a threat incident from the “what could happen” attacker viewpoint, instead of the “what did
happen” defender’s angle. The attack model, describes the requirements for a vulnerability to become a system threat [36]. We compile the threat vectors and the methodology followed to materialize attacks (Table II), and provide cyberattack definitions which are used in Sections III and IV.

A. Adversary Model
The following discussion delineates the assumptions followed in this study regarding the adversarial system knowledge and capabilities, and how they correlate with attacks targeting
DER grid communications and devices. Adversaries could rely on publicly available open-source intelligence information to perform their attacks [37]. Additional knowledge can be
acquired after a system asset or device is compromised and/or while a cyberattack is propagated in the system. Knowledge can also be obtained by accessing unsupervised hosts on
enterprise networks [34], [38], by gaining unauthorized access to data shared among DER devices. Other methods include eavesdropping, intercepting exchanged data [39], IP identification and port scanning, application-level protocol exploitation [38], [40], ciphertext decryption, or malicious insiders.

Equally important to the attacker knowledge assumptions are the adversarial capabilities (i.e., “what could happen”). Adversarial capabilities consider the access to DER assets
within a given system. For example, an attacker might be able to connect to remote DER devices through legitimate Bluetooth or speedwire connections (i.e., insider case) [41].
Additionally, attackers could possess or have physical access to EV charging stations or to the local area network (LAN) over which DERs communicate [42]. In the latter case, such
access could be achieved if attackers can infiltrate the LAN using proxy attacks on PCs, routers, surveillance systems, etc. [43]. Additionally, other attacks assume that the adversary is
capable of compromising peripheral controllers and deploying custom firmware [44], [45] (e.g., change voltage measurement values in human-machine interfaces (HMIs) [40]). As a result, attackers can remotely manipulate and jeopardize various physical assets (e.g., distribution level devices, DERs, substation equipment, etc.) [37]. Attackers are assumed to have sufficient computational resources – especially when supported by criminal organizations or nation-state actors – to crack passwords and decrypt power grid data. For example, it is reported that by brute forcing PIN codes of wind farm control panels, attackers could send malicious commands to wind turbines impacting grid operation [42].

B. Attack Model
The attack model specifics are essential for the threat model description (e.g., in retrospection of past cyberattack incidents). Although we do not provide one-to-one mappings between attacks (presented in this study) and each corresponding attack model component, their key aspects – influencing impacts and mitigation strategies – are described in Sections III and IV. Attack model information is crucial when establishing the requirements for a vulnerability to develop into a system compromise, its potential impact, and mitigations or other methods to overcome such adversity. Following the attack methodology in [35], the attack model can be considered as being composed of the following six elements, i) the attack frequency, ii) the attack reproducibility, iii) the functional level being attacked in the system, iv) the attacked asset, v) the techniques being used, and vi) the attack premise. For instance, some attacks might have to be performed iteratively and reproduced multiple times to compromise the system
behavior. This could be the case with packet replay, DoS, and MitM attacks, where attacks might aim to spoof DER communications or exhaust DER protocols and/or device resources
causing intermittent, slow, or loss of communication thereof [46]. The attack functional level and the targeted DER assets notably differ when considering communication protocol and
device attacks. Typically, cyberattacks targeting DER devices could be assigned to levels 0 and 1 including process sensors, actuators, and controllers, while attacks on the communication,
coordination, and control fabric of DER systems target the higher levels (i.e., 3, 4, and 5) of the Purdue model [47].
Distinctions are also necessary when investigating the attack techniques and the premise of cyberattacks. A detailed presentation of the most common and recent attack techniques used
by adversaries can be found in [36]. The attack premise delineates whether the attack is performed in the cyber or physical system domain. For our study, identifying the attack premise
is fairly intuitive since DER protocol attacks are limited to the cyber domain, while DER device compromises could span both the cyber and the physical domains. Information on how complex cyberattacks could target the cyber and physical domains while exploiting diverse attack techniques is provided in [35]. Specifically, in the case studies presented in [35],
physical devices, e.g., inverter controllers, are compromised by exploiting control logic modification techniques impacting power conversion, power factor, active/reactive injections, etc. Additionally, cyberattacks targeting communications – via time-delay attacks on the cyber domain – and the impact of intercepted, delayed, and/or modified control commands on
the simulated power system models are also demonstrated.

C. DER Targets and Cyber-Threats
We refer to mission-critical system assets which can jeopardize grid operation if maliciously compromised by threat actors as crown jewels [48]. Crown jewels span the ICT
infrastructures, such as the stakeholder-to-DER device communication channels [46], physical-interfaces [43], and the DER devices themselves. Notably, DER devices include PV inverters or smart inverters [40], BESS, EVs, wind turbines [42], demand-side loads [49], and DER controllers. Gaining access to any crown jewel, enables adversaries to manipulate DER power output (e.g., generated, stored, etc.), which can result in possible brownouts, false trips, feeder overloadings,
voltage/frequency violations, damaged protection equipment or system instabilities [26].

We distinguish between attacks targeting the DER communication protocols used for the control and coordination of DER assets, and the actual DER embedded devices and their components, i.e., hardware, and software. Although the threat surface for these two categories might share similarities, it also has differences (e.g., attack access, exploitation tactics
and techniques, etc.). Along with these differences, the interoperable nature of DER systems mandates comprehensive security mechanisms that treat the DER crown jewels jointly.
Table III compiles common cyberattack definitions relevant to DER asset vulnerabilities.

III. DER PROTOCOL LEVEL
The following section elucidates DER protocol-level security oversights and furnishes approaches to mitigate and overcome the impact of intrusions exploiting the communication plane. We systematically examine prominent industrial control protocols and demonstrate the DER cyber kill chain, indicating the steps adversaries follow to compromise EPS operations.

A. DER Protocol Level Vulnerabilities
The most commonly used protocols for DER communication include the IEEE 1815-DNP3, Modbus, OpenADR, and IEEE 2030.5 [53]. However, most of these protocols did not originally support any overarching cybersecurity requirements [54]. Specifically, Modbus and DNP3, two widely used serial protocols in process automation systems, have several identified vulnerabilities. For instance, the authors in [30], provide a comprehensive attack taxonomy for DNP3 and discuss 28 different attack types. The presented attacks can be
classified into four broad threat categories, including DNP3 data i) interruption, ii) interception, iii) modification, and iv) fabrication attacks. Interruption and interception attacks could
delay control commands to industrial assets or acquire data in-transit. However, modification and fabrication attacks arise as the most threatening since they can send erroneous data
to affect industrial processes, alter device configurations, and spoof master controllers, as shown in Fig. 4. The attack impacts range from the acquisition of network and device
configuration data to the corruption of remote devices and acquiring control of DNP3 master units. Similarly, more than 700 vulnerabilities have been identified in the open source
CERT Java-based implementation of OpenADR [55]. Some of those vulnerabilities could be remotely exploited, compromising sensitive data such as usernames, system properties,
installation directories, etc [56]

To enhance the security of DER communication, IEEE 1547-2020 interconnection and interoperability standard identifies the security requirements to be satisfied by both communicating parties [57]. Although compliance with IEEE 1547 can safeguard the exchanged data and control commands issued between DERs and aggregators, cyberattacks aiming
to disrupt grid operations (e.g., DoS) remain. Of the aforementioned DER protocols, only IEEE 2030.5 was developed with stringent cryptography requirements [58]. The latest
versions of DNP3 [59], Sunspec Modbus 700 series [60], and OpenADR 2.0 conform with IEEE 1547-2020 and National Institute of Standards and Technology (NIST) requirements.
As such, they can be seen as semantically identical from a security standpoint with IEEE 2030.5 [60]. Furthermore, transport layer security (TLS 1.2 or 1.3) is advised for all protocols to enhance wireless communications security between aggregators and DER edge devices [52], [61].

Although there are secure communication protocols, the network communication infrastructure remains a prominent threat vector for adversaries. This can be attributed to the
hesitation of industrial facilities to switch to newer and more secure communication protocols considering the potential economic or operational overheads. The plethora of legacy
devices is also a limiting factor that restricts the modernization efforts of the communication fabric. The situation is further exacerbated since according to the Electric Power Research
Institute (EPRI), more than 75% of North American electric utilities use the DNP3 protocol for industrial control applications and supervisory control and data acquisition (SCADA)
systems [62]. For instance, attacks targeting DNP3 communications could either aim to exploit vendor implementations of the protocol, protocol specifications, or vulnerabilities in the
supporting communication infrastructure [30]. In addition to DNP3 protocol vulnerabilities, user datagram protocol (UDP) vulnerabilities arise since, in some systems, portions of DER
modification requests are passed in plaintext [26], which presents a critical control vulnerability to the DER system.

Applying the latest protocol versions using TLS and cryptographically secure communication channels can potentially deter adversaries. However, the security of the power grid system is contingent upon each weakest link. Knowing that many already deployed DER devices support insecure and outdated versions of the aforementioned communication protocols, limited computational capabilities prohibiting the implementation of sophisticated encryption algorithms or even updating their firmware (e.g., could be infeasible due to field operational
constraints), urges for potent attack detection and mitigation mechanisms. Following, we discuss some of the eminent cyberattacks exploiting the pitfalls of protocol vulnerabilities.

B. DER Protocol Level Attacks
To identify which layer of the protocol stack is targeted by each attack, the Open Systems Interconnection (OSI) basic reference model is used [63]. The OSI model has seven major
layers: application, presentation, session, transport, network, data link, and physical layer. In this paper, we focus on the security of commonly used industrial control protocols and specifically consider the data link, network, and transport layers of the OSI stack. The physical layers as well as the session, presentation, and application layers are not discussed since
no security requirements are defined for the physical layer (bit transmission layer), while the aforementioned higher OSI layers can be application-specific or supported by other application protocols (e.g., secure file transfer protocol – FTP/SFTP, simple network management protocol – SNMP, telnet, etc.).

Data link layer uses the Ethernet protocol which is vulnerable to media access control (MAC) spoofing attacks. MAC addresses can be spoofed, allowing Ethernet frames to be
forwarded to adversaries [41]. In addition, MAC flooding attacks target the MAC address tables used by switches to store the information of legitimate devices, and the specific ports to which each device is connected [41]. On the network layer, the cybersecurity of DER device communication is specified by IEEE Std. 2030.5, which operates over the UDP
and transmission control protocol (TCP) with support for IPv4 and IPv6 protocols [52]. Many owners of DER devices can remotely communicate with their DER devices and receive
data such as measurement statistics, network communication analysis, firmware updates, and more.

Especially for Modbus and DNP3, multiple attacks have been reported that compromise the confidentiality, integrity, or availability of in-transit data. In [31] 28 attacks targeting
Modbus TCP packets and 20 attacks targeting Modbus serial instances are reported. Threat actors with network access, can intercept, interrupt, modify and fabricate Modbus control
packets causing DoS, and/or injecting bad data and malicious commands resulting in loss of situational awareness and asset controllability. Similar attacks on DNP3, i.e., packet
interception, fabrication, etc., are reported in [30] focusing mainly on the data link and transport layers, achieving loss of confidentiality, awareness, and control of industrial assets. In [38], the authors demonstrate the feasibility of attacks that corrupting manufacturing message specification (MMS) communications (facilitated by IEC 61850) by reporting false inverter limits curtailing the power generation of DER assets.

Attacks targeting UDP vulnerabilities, during client-to-DER device communications, such as packet replay attacks have also been reported [26]. During a successful packet replay attack, the plaintext requests are captured while being transmit ted. The attacker can then send the captured packets and issue malicious commands to the DER, resulting in device malfunctioning. For IPv4/IPv6 protocols, possible attacks include, network reconnaissance, packet replay, MitM, and DoS [46]. Sophisticated MitM attacks on client applications and DER device communications have multiple steps. First, the adversary eavesdrops on the DER-to-client communications and then performs address resolution protocol (ARP) poisoning and port
stealing attacks [46]. ARP poisoning forces the MAC address of the adversary to be linked to the IP address of the target. This technique enables the interception of data in-transit. Port
stealing enables the interception and modification of data by the adversary before it is delivered to the destination.
On the transport layer, the predominant attack is synchronization (SYN) flooding. SYN flooding is a type of DoS attack where the adversary sends continuous SYN requests to multiple ports of the target device using fake IP addresses [41]. The target device sends acknowledgment packets (SYNACK) to each fake IP request. Since no consequent actions are performed by the fake IP client, the target device’s port remains open until the connection times out.

C. DER Protocol Level Impacts
The MAC spoofing attack on the data link layer aims to give adversaries unauthorized access to the network by maliciously modifying the source IP address [41]. Another attack on this
layer, MAC flooding, can target DER devices such as inverters, which can result in memory overuse and potential communication bottlenecks. The adversarial impact could lead to loss of availability in communication with the DER device, including the inability to control DER power management parameters.
MitM and packet replay attacks on the network layer of DER device communication leverage the commands received from client applications using UDP/IP transport protocols.
Such interception has been reported in [46], where sensitive information involving DER generation data and control commands were exchanged in plaintext format. Traffic analysis and in-transit packet inspection can be used to exfiltrate setpoint values. The underlying impact of a successful packet replay attack is demonstrated in [3], where the replay attack doubles the magnitude oscillations of the DER’s real output power. In microgrids, especially during autonomous operation, such disturbances could result in relay trippings, damaged
equipment, and potentially load shedding events [64]–[66].
The impacts of protocol-based DoS attacks, e.g., during SYN flooding, could diminish the availability of DER devices. Reference values for real/reactive power and phase measurements are critical for the operation of inverters. If such information is delayed, real-time reference values cannot be updated, and thus the DER operation is indicated by firmwaredefined defaults [3]. Such distortions can result in under- or over-generation, leading to uneconomic operation, and real or reactive power instabilities in the DER connected grid [67].

D. DER Protocol Level Mitigations
Different mitigation strategies for protocol-level attacks have been reported in the literature [41], [68]. To mitigate spoofing attacks on the data link layer, authentication-based
access control is necessary. In the presence of authenticationbased access control, the communication between the client and the device has to be first authenticated before the client is allowed to connect and exchange data and control commands.
An alternative proposed mitigation approach considers the network switch configuration, i.e., white-listing a limited number of trusted MAC addresses, while discarding requests from
unknown sources. Network switch best practices suggest the deployment of an authentication, authorization, and accounting server, that manages connections and certifies that the MAC
addresses are added to the table only after being authenticated.

On the network layer, the use of firewalls, one-way communication diodes, packet filters, circuit-level gateways, proxy servers, and two-way authentication can be utilized to prevent
network reconnaissance, packet replay, MitM, and DoS attacks. The use of physical and logical network segmentation and perimeter security defenses can be used to prohibit access to critical parts of the system and prevent the lateral movement of threat actors between IT and ICS networks (if the prior is compromised) [69]. Demilitarization zones should also be
enforced to aid network segregation and serve as proxies, avoiding the security hazards that network-connected devices could port to DER control functionalities. DER applications
using TCP/IP are more resistant to packet replay attacks since unique session IDs are generated during the initial three-way TCP handshake (communication initialization) [46]. TCP/IP
transport includes additional IP header information that DER applications can use to prevent packet replay attacks. Leveraging the unique IP headers, the server is able to detect and drop
duplicate packets, hence preventing packet replay attacks.

Furthermore, the implementation of cryptographic techniques, secure key distribution, and exchange schemes can help prevent MitM and replay attacks [70]. Currently used
cryptographic mechanisms might no longer be secure once quantum computers become widely available, and EPS stakeholders will have limited time to adapt their systems [71]. To
address this issue, quantum key distribution (QKD) schemes have recently been proposed to improve the security of cryptographic keys [72], [73]. Contrary to other application
fields, e.g., computer networks, online banking, etc., the power systems community has only recently started considering such approaches, and this can be mainly attributed to the fact that
QKD schemes cannot be directly applied to deployed and legacy systems. In addition, testbeds to evaluate the real-time performance of such quantum schemes do not exist. However,
in the future, it is evident that quantum-secure encryption algorithms, QKD schemes, and the essential infrastructure to test them would be part of EPS cybersecurity research [74].
On the transport layer, mitigation of SYN flooding attacks is achieved by cryptographic hashing and stack tweaking, which reduce the connection request timeout period dropping
incomplete sessions. Cryptographic hashing will determine the legitimacy of the connection by sending the SYN-ACK packet with a code derived from the client’s IP address, port number,
and unique ID number. Dropping incomplete connections in stack tweaking frees up ports for legitimate connections. Firewalls, intrusion detection and prevention systems (IDS/IPS),
and traceback and push-back services can limit excessive traffic, therefore countering DoS attackers. Fig. 5 presents the DER cyber kill chain, where we recapitulate protocol
vulnerabilities and attack entry points, enumerate potential attack impacts, and mitigations to overcome adversities.

IV. DER DEVICE LEVEL
Different DER categories can be identified based on their operation principles, thus, DER device compromises can impact grid operations to varying degrees based on their category and system utilization. This section focuses on vulnerabilities, attacks, impacts, and mitigations on the DER device-level.

A. DER Device Level Vulnerabilities
Inverter-based resources are rapidly deployed in EPS on a commercial and residential scale. However, they remain vulnerable to cyberattacks that can modify or erase their default DER settings [49]. Rooftop PV inverter control, for instance, is regulated both on the local level (primary) as well as at a higher level, i.e., secondary control. The primary control system is responsible for matching the inverter-generated energy to the consumer power demand. Contrary to the local control system which operates on the consumer side, centralized secondary control resides on the concentrator/aggregator and utility sides. The secondary control system orchestrates inverter operation on a larger scale, by managing ancillary services and providing setpoint updates to local control systems regulating frequency and voltage deviations after a perturbation, e.g., load change, fault, etc., has occurred. Typically, these control systems are operated remotely, using Internet-of-Things (IoT)-
based and third-party applications, which could expose such DER devices to cyberattacks. For example, in [46], the authors demonstrate that by eavesdropping DER communications (performed over the Internet), passwords, user data, serial IDs and device names can be extracted using network traffic analysis software (e.g., Wireshark). Furtheremore, in some
cases, sensitive information is exchanged in plaintext format, highlighting the importance of end-to-end data encryption and endpoint security hardening on the physical device itself.
Similar security concerns exist for wind turbines which represent another significant DER type. Wind turbine control panels (WTCP) are used to control turbines and monitor their real-time operating conditions, e.g., their generation setpoints are dynamically controlled to meet the electricity demand. According to [42], in some deployments, the only security practices employed against adversaries attempting to access the WTCPs are software-based credential authentication (e.g., passwords, identification number, PINs, etc.). Standalone credential authentication is not considered secure, granted that it can be bypassed using brute forcing and fuzzing techniques. Additionally, phishing, spear-phishing, vishing, etc., and other
social engineering campaigns have also managed to exfiltrate sensitive authentication data from operators potentially jeopardizing the secure operation of wind-based DERs.

The electrification of the transportation sector is a major thrust towards grid decarbonization. As a result, a precipitous growth has been observed in the number of EVs across the
world. EV batteries can be used as backup power supplies during unexpected and instant power demand. To support such ancillary backup services, as well as to charge their battery resources, EVs connect to the electric grid via charging stations. According to [75], EV charging stations (EVCS) first, authenticate the EVs, and then they either charge them or connect them to the main grid to be used as ad-hoc energy storage. Authorization can be done through radio frequency identification (RFID), Bluetooth, or Wi-Fi technologies. However, RFID systems have been proven to be insecure and are vulnerable to malicious attacks such as eavesdropping and
active interference [76]. RFID readers and tags operate in noisy environments, which decreases security and can consequently compromise the EVCS. Furthermore, authorization
done using wireless networks (Wi-Fi or Bluetooth) can be exploited by adversaries as well. Multiple design flaws, security weaknesses, and practical attack scenarios have been reported
regarding Bluetooth technologies, enabling adversaries to pair to devices and impersonate legitimate users [77]. Apart from the authorization and wireless network configuration security
oversights, in [78] the authors present the vulnerable components of EVs that could be exploited by adversaries (e.g., remote attacks) compromising grid operation.

Apart from the discussed vulnerabilities concerning generation-type DERs, critical vulnerabilities in DER controllable loads also exist. The IoT is a network of connected devices including smart appliances (e.g., smart thermostats, air-conditioning, heat pumps, EVCS points, etc.), enabling the exchange of information between devices and users leveraging
wired and wireless connections [79], [80]. These IoT-enabled devices are connected to the load-end of DERs and their operation is typically orchestrated remotely by their end-users. According to [79], [81], a large number of IoT devices (using remote internet access mechanisms) still lack concrete security mechanisms and, as a result, can be vulnerable to cyberattacks.
Researchers have demonstrated that attackers can manipulate IoT-connected devices in low-inertia EPS (e.g., relying on renewable generation) and other exogenous conditions to cause
unsafe grid operation. That is, in [80], [82], the authors investigate the impact on grid stability of load altering attacks – if multiple IoT-connected high-wattage devices are compromised
simultaneously – during the COVID-19 lockdown period. This adversarial behavior is enabled by the absence of overarching defense mechanisms, such as anti-viruses, and the sporadic
provision of software/firmware updates and security patches which further weaken the device security posture. As a result, the vulnerabilities of such IoT-connected devices can be ported
to the utility grid, given their interconnection to DERs.

The authors in [83] report that another compelling reason undermining IoT – and DER-controllable load – security is that during the design cycles, function and lowering manufacturing costs were prioritized above firmware security. As a result, end-users are presented with feature-full devices with multiple backdoors that adversaries can exploit; paving
the way for malware developers [83]. Smart thermostats, for example, represent a prime example of how the consequences of a compromised IoT device could propagate, posing threats to the power grid. Smart thermostats regulate the temperature of residential or commercial facilities by “cleverly” managing heat sources and air conditioners. Thermostats can learn their users’ patterns and adapt their operation accordingly. The cybersecurity of such devices has been shown to be lacking since many are shipped from manufacturers using default configurations and predefined credentials [79]. Furthermore, the end-users of such devices might be unaware of the essential steps secure their devices against cyberattacks. Consequently, such devices are left vulnerable to attacks that could simultaneously trigger on/off particular loads (e.g., heaters) deliberately affecting the instantaneous power demand of power grids, leading to blackouts or brownouts [4].
Similarly to IoT-based systems which leverage ICTs to exchange information, recently the design of solar farms has also incorporated “smart” features. In large solar deployments,
ICTs are used for the remote and real-time management of
the generated power used for economic dispatch and demandresponse schemes. Centralized storage solutions are also used for the aggregation of historical and generation data, exposing
solar farms to threats (e.g., single-point-of-failure paragon). The remote control, communication, and data aggregation features of grid resources can be exploited as attack entry points. This was the case with the cyberattack targeting VESTAS offshore wind turbine manufacturer, which led to the ex-filtration of sensitive data and “forced VESTAS to shut
down IT systems across multiple business units and locations to contain the issue” [84]. Although, according to the Danish wind manufacturer, customers were not affected, the socioeconomic and reputation blow to the company was acute. In residential solar deployments, communication technologies such as Bluetooth are used regardless of the limited cybersecurity mechanisms, which can result in security breaches compromising user privacy [49]. Aside from the attacks on IoT controllable loads and generation assets that stem from
inherent implementation or architectural vulnerabilities, the possibility of supply-chain-based attacks should also be considered. Security oversight in manufacturing facilities can be
exploited to develop supply-chain attacks, in which adversaries are granted apriori control over thousands of DER-connected assets [85]. The possibility of supply-chain compromises along
with the catastrophic consequences of such events was demonstrated during the colonial pipeline incident in 2021 [21].

B. DER Device Level Attacks
Attacks targeting the DER device level exploit implementation, architectural, and other security design oversights (e.g., communication, internal storage, remote update or control
functionality, etc.) to maximize their impact and compromise EPS operations. In the case of inverters, for example, after successfully gaining access to the DER assets, adversaries can launch cyberattacks including, i) DoS attacks compromising the inverter’s availability, ii) data alteration attacks where the exchanged data between DERs and utilities are maliciously
modified, and iii) command injection attacks where termination commands or malicious controls are forwarded to the inverters [29], [38]. During DoS attacks, the communication
bandwidth of the inverter can be flooded leading to disruptions, i.e., the process control flow of the device is suspended [46]. Inverter operation is dynamically regulated to enhance
power generation efficiency and support ancillary services when requested by grid operators. However, adversaries could delay or prevent the transmission of critical data (e.g., sensor measurements, control commands, etc.) to certain DERs inhibiting their operation [46].

MitM attacks can also be leveraged to compromise grid inverters. In such scenarios, attackers can gain device-level information by eavesdropping on data traffic between inverters and the utility grid. Attackers can access system information by decoding MMS real-time data packets [40]. Given that most inverter models use MMS to send and receive data, such attacks could have a considerable impact on grid stability. Attackers could compromise the DER operation by modifying the inverter configuration using undesirable parameters, e.g., tampering with the reactive power references [86]. Brute force attacks can also be leveraged to compromise DER assets. In [42], researchers demonstrate that adversaries can brute force weak PIN sequences and get access to WTCPs. Similarly to the inverter command injection attack, adversaries can send malicious commands to wind turbines, modifying setpoints or control objectives, causing unexpected operations [87].

In many cases, DER assets are owned by end-users, interfaced to user networks, and exhibiting similar operation to common IoT devices. As such, DERs could be remotely operated and controlled by consumers or other third-party applications. IoT devices have been exploited on a massive scale in the past, as was the case with the Mirai botnet attack [79]. The Mirai malware, after its propagation to multiple vulnerable IoT devices, grants adversaries full control over the compromised devices. Groups of compromised devices, i.e., botnets, can then be collectively exploited to cause distributed DoS (DDoS) attacks [88]. However, in the case of DERs, such attacks could severely affect grid stability. Apart from botnet attacks, other IoT-sourced vulnerabilities could be also abused.Threat actors can perform replay attacks
by replicating legitimate commands transmitted from DER asset owners. RFID authentication and Bluetooth or Zigbee communication packets can be eavesdropped and replayed,
enabling unauthorized access to DER devices [89]. The security of these IoT-connected DER devices is relied upon the user competence in safeguarding their assets. If IoT network security is overlooked, adversaries could capture exchanged data, obtain session or encryption keys, access the devices, and issue commands to render DERs unreachable (DoS) or
instruct anomalous operations [89].

C. DER Device Level Impacts
Adversaries, after gaining initial access to DER devices, can follow different approaches to deploy their attacks [36]. If maximizing the immediate system-wide impact is the
objective, overvoltage or undervoltage conditions, frequency fluctuations, false trippings, and disconnection mechanisms could be targeted. Power systems have built-in mechanisms to automatically detect and isolate such high-impact events to limit their consequences. Different detection approaches (e.g., physics-based, data-driven, or a combination of the two) could be used to overcome such conditions [40], [90], [91].

On the other hand, in the advanced persistence threat (APT) case, threat actors might prioritize system persistence, breach of privacy, and long-term system degradation instead of
immediate impact, and opt for more sophisticated and stealthy attacks [92]. For instance, attackers could exploit firmware vulnerabilities and achieve remote access on DERs through public-facing applications or the supported remote services [36]. While in control of the DER device, attackers can stealthily perform minute modifications to system parameters
or coordinate attacks in ways that will not affect the net system behavior deceiving detection mechanisms [93], [94]. Such stealthy attacks might cause unsafe, unstable, or uneconomic
operation of IBRs. Adversaries could also exfiltrate sensitive user information (e.g., credentials, passwords, etc.), since DER devices might be connected in user-owned home networks.
Attackers may also be learning the operational patterns of DERs, that is, aggregating enough system information to identify the temporal and spatial conditions which, if satisfied,
can maximize the impact of attacks on the grid [93], [95].

The rapid adoption of EVs (from 3 million in 2017 to 125 million by 2030 [96]) makes them prominent targets for attackers aiming to gain access to EVs or EVCS. Malware
can be deployed and propagated throughout the whole EV infrastructure, compromising the charge controllers, demandresponse schemes, charging limits, grid power quality, and crippling the power and transportation sectors. According to [37], compromised EV supply equipment (EVSE) servers can prevent EVCS sessions by denying authentication, or reproducing incorrect information about charging station data (e.g., price, online station status, etc.). Furthermore, EVCS being high-wattage assets, if maliciously manipulated in addition to power-related consequences (e.g. increased load demand, power quality issues, etc.), can also inflict considerable financial losses on electric power utilities [97]. Similarly, sensitive user information (e.g., identity, location, payment information, etc.) could be leaked during potential attacks on the EV and charging infrastructures [98]. The absence of attack impact assessment methodologies for EV networks is highlighted by the authors in [99]. Their work attempts to identify potential attack and failure scenarios while demonstrating the consequences
of such events on the corresponding EV system security.

Researchers have demonstrated that there are multiple paths to compromise the security of wind-integrated DER assets. In [42], access to WTCP is granted by launching a brute force dictionary attack on the WTCP device. Similarly, in [87], by compromising network devices and wind process automation controllers, malicious requests can be sent to turbines, preventing nominal operation and potentially causing damage to critical electrical and mechanical components. The impacts of such attacks can lead to fires, explosions, jeopardize personnel assigned to resolve such issues, and the safety of surrounding communities [100], [101]. The
aforementioned high-profile wind incidents might have not been caused by cyberattacks, but the probability of exploiting wind turbine vulnerabilities remotely exists. Furthermore,
the impact that attacks on wind turbines could have on grid reliability has been investigated in the literature [102], [103].

Malware, such as the Mirai and its derivatives, or other supply-chain exploits (e.g., hardware trojans, vulnerabilities in commercial and open source software) could be leveraged to control the operation of IoT-connected DERs leading to intermittent operation and DDoS attacks [104]. As a result, the botnet of the compromised DER devices can be maliciously operated as a distributed load or generation. Grid instability can thus occur when DERs and other remotely controlled high-wattage devices (i.e., smart thermostats, EVs, EVSE, Heating, Ventilation, and Air Conditioning – HVACs, etc.) are simultaneously switched on or off, severely affecting the
electricity power demand [105]. In large-scale demand-side attack scenarios, grid operators will be forced to perform load shedding to sustain critical loads [82]. Consumers might experience brownouts and service interruptions, while the impacts of load-altering attacks on the local power supply will also affect demand-response schemes [106]. In addition to grid impacts, infected devices could also propagate malware (in a worm-like fashion) to the rest of the devices residing within the same network (e.g., switches, personal computers, mobile phones), thus, jeopardizing sensitive user information [107].

D. DER Device Level Mitigations
To combat threats targeting DER devices, a multitude of mitigation strategies have been proposed. With respect to inverters, the authors in [26] suggest that an additional power electronic interface (energy buffer) should be developed and placed at different locations within the distribution grid (mainly at points where the device is connected to the grid). This energy buffer interface can help avoid unintentional islandings, which could be triggered due to the conflicting antiislanding detection and low/high voltage ride-through functions that inverters support. The micro-architectural hardware components of inverter controllers have also been utilized for the detection of malicious events within the DER asset’s process control loop [44]. In [108], the inherent physical properties of DER-integrated grid systems are used to identify potential actuator or sensor modifications which could lead to abnormal system operation. Furthermore, a multitude of model- and data-driven anomaly detection methods have also been proposed to identify compromised DER assets [109]. Once intrusions have been efficiently detected, the compromised assets are isolated and the available grid resources are
utilized to achieve resilience and maintain the power supplydemand balance equilibrium [110], [111].

The prevention of adversaries from launching DoS attacks on EVSE can be achieved via the use of hardened operating systems [112]. Such systems can be leveraged to deploy and keep the EVSE with up-to-date firmware. Furthermore, roll-back firmware update functionality is essential, enabling the use of previously working firmware, in cases where the updated firmware versions are proven unreliable or have been maliciously modified. Different methodologies have also been proposed for the mitigation of the harmonic interference of EV-related cyberattacks. For instance, the authors in [113] and [114], propose pulse-width-modulation and a high-frequency resonance scheme, respectively, that can mitigate the power
quality degradation introduced by EVs and bidirectional gridtied converters (e.g., battery storage). On the other hand, a power management framework leveraging renewable resources
and the EV infrastructure itself is used in [115], in order to alleviate power quality challenges encountered in unbalanced distribution networks. The importance of cyber insurance
against cyberattacks on EVCS has also been highlighted by researchers. In [97], the authors demonstrate that defense mechanisms and cyber insurance policies can effectively reduce the financial impacts of cyberattacks and curtail insurance premiums for the entities that manage EVCS.

Towards mitigating brute force attacks targeting weak credentials used by WTCP, [112] recommends the usage of password management systems. Furthermore, monitoring user behavior (e.g., failed login attempts), network segregation, and role-based access control rules are encouraged. To mitigate stealthy attackers who aim to gain access to wind turbine
controllers exploiting their remote firmware update capabilities (e.g., over-the-air updates), in [116] and [117] different methodologies are proposed to verify firmware trustworthiness. In [116], a secure firmware update scheme is introduced, where devices leverage the blockchain to check for new firmware versions and validate their integrity before downloading and installing the firmware images. On the other hand, in [117], the authors leverage a hardware architecture to validate firmware authenticity. Cryptographic modules are utilized to guarantee the integrity and authenticity of firmware packages.

When viewing DERs from the IoT perspective, most of the security implications and attack mitigation strategies applicable for IoT end-devices could be exercised. In [118], the authors suggest the use of a personal security application (PSA) as a countermeasure. PSA resembles a combination of security features, such as access control mechanisms, malware
detection, network traffic, and resource utilization monitoring, etc., to strengthen the security posture of IoT devices and networks. Blockchain technology has also been mobilized to
safeguard the security of IoT networks, singling out malicious nodes from benign ones [119]. For example, a blockchain detection methodology is presented in [104] to protect IoT nodes from the Mirai botnet.

On the other hand mitigating supply-chain compromises, hardware- or software-based can be challenging. State-funded initiatives, such as the CHIPS program in the USA are
essential to establish “a secure and resilient semiconductor supply-chain that adheres to standards and guidelines on information security, data tracking, verification, and promotes
the further development and adoption of such standards” [120]. Furthermore, adhering to recommendations and practices issued by cybersecurity organizations, such as the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), etc. is crucial to mitigate software supply-chain liabilities [17]. In [79], best practices, mitigation techniques, and security policies are enumerated, viewed from the IoT device, infrastructure, communications, and services standpoints which closely match the obstacles that DER infrastructure will have to overcome.

V. DER CYBERSECURITY CONCLUDING REMARKS
Improving EPS cybersecurity and resilience is of critical importance and DERs are expected to contribute toward this effort. However, the sophistication of cyberattacks targeting EPS indicates that multifaceted security approaches should be considered. In Fig. 6 we present potential vulnerabilities at the different levels of the grid architecture, and the impacts of attacks targeting DER devices, aggregators, and utilities. Detection, protection, and mitigation schemes should factor in the inherent vulnerabilities in both DER stacks (cyber and
physical) and on every level, from DER assets to system operators. Therefore, security evaluation metrics, which consider how DERs contribute to EPS, are crucial, given the potential risks and system-wide impacts of cyberattacks.

A. Cybersecurity Metrics for DER-integrated Systems
The risks associated with compromises involving DER assets require substantial cybersecurity investments from utilities and aggregators. To justify such investments, metrics are essential for assessing the cybersecurity posture of the involved stakeholders, and the efficiency of the implemented cybersecurity methodologies in curtailing potential risk. In [121], diverse analytical metrics are discussed to assess the resilience of cyber-physical systems (CPS). Similarly, in [122]
and [123] cybersecurity and resilience metrics are developed to analyze industrial control systems. Different approaches have been followed to provide qualitative and quantitative metrics to measure the cybersecurity and resilience of power systems [33], [124], [125]. For instance, NIST has proposed a framework that consists of five essential functions to overcome adverse events, namely identify, protect, detect, respond, and recover [126]. For each of these five functions, performance metrics are then employed to assess the ICS security posture
using insights from real-world incidents. However, such frameworks fail to measure security holistically since only specific system sections are investigated.

To address this issue, in [127], the authors extend the R4 resilience framework [128] by introducing a quantitative metrics hierarchy under four main domains, i.e., system robustness,
redundancy, resourcefulness, and rapidity. CPS cybersecurity is then evaluated by decomposing each of the four aforementioned domains into subcategories and deriving scores based on asset criticality, interconnectivity, system network topology, and underlying physical processes. A similar path is followed in [129] where a quantitative security metric is proposed that factors the interaction between cyber and physical layers. Then, optimal decisions are made by integrating this security metric in cyber-constrained AC power flow studies,

EPRI highlighting the challenging task of quantifying security in diverse DER architectures has presented a datadriven cybersecurity metric methodology [130]. The proposed metrics framework combines real-world IT and OT data aggregated from the system-under-test. Sixty security metrics, including mean time to discovery, mean time to recovery, threat awareness, endpoint protection scores, etc., are then combined to assess and quantify the cybersecurity status of the system. The sixty metrics are categorized under three core categories (i.e., operational, tactical, and strategic) depending on the operational constraints and security requirements as identified by each stakeholder (e.g., utility, aggregators, etc). EPRI has open sourced its cybersecurity metrics calculation software, OpenMetCalc, which allows users to load their system-specific data and compute their system’s performance with respect to these sixty metrics [131]. Based on these scores, executive decisions can be made, and resources can be
prioritized to reduce and/or mitigate potential risks. Although this cybersecurity metric endeavor led by EPRI is a step in the right direction, it is still an ongoing research topic that
requires active participation from the energy sector.

B. Future Challenges
This work explores the cybersecurity posture of DERs as an essential building block for future resilient EPS. We investigate threats and present an overview of attacks without focusing on specific DER types, e.g., rooftop solar, BESS, or wind turbines. DER vulnerabilities are examined from the protocol and device levels, which are pertinent regardless of the DER type. We furnish a consolidated review of attacks and their potential impacts. Mitigation methodologies and design best practices are also discussed, and in Table IV, we compile a summary of mitigation schemes against different attack types.
Even though the proposed strategies could reduce the DER threat surface, they cannot be considered as “silver bullet solutions”. This fact is partly attributed to the DERs’ distributed mode of operation, which can be utility-, aggregator-, or prosumer- owned. Especially for the latter case, user negligence in the security configuration of their DER assets, could give rise to compromises. However, the risk and magnitude of such disturbances depend on how many DERs could be attacked simultaneously. Security standards and policies – such as IEEE 1547-2020 [57], NISTIR 7628 [132], NIST SP800-82 [69], CA Rule 21, Hawaii Rule 14 [133], and IEEE 1815.1 [59] – should be enforced ensuring the innocuous DER operation.

The strong coupling between electricity markets, demand response schemes, and DERs can also incentivize the exploitation of DERs for financial benefits. False data injection attacks manipulating measurement points at the distribution level have been demonstrated to be capable of deceiving state estimators and influencing economic dispatch mechanisms [134]. Load forecasts can thus be biased, affecting the marginal prices in electricity markets, to benefit corrupt distribution utility operators and DER aggregators. To thwart such attacks, resilient state estimation algorithms [91], and incentive reduction policies should be implemented [134].

Security challenges will still exist, regardless of the preventive and preemptive methodologies that we propose. Developing universal risk management schemes can be a perplexing or infeasible task due to the distributed, ad-hoc (e.g., EVs, battery storage) and stochastic (e.g., solar inverters) nature of DERs. However, comprehensive system modeling using digital twin systems and data-driven approaches can be leveraged to forecast grid behavior and predict cyberattack impacts. Additionally, risk assessment and cyber-physical risk metrics can be used to evaluate and prioritize mitigation decisions. High-fidelity information, derived from system models, can assist risk metric estimations, which can prove useful when designing response strategies and self-healing schemes [135].

The influx of DER devices and their projected numbers underscore the need for comprehensive security practices. To harness DER advantages and withstand their underlying security impediments, the combined knowledge of security engineers, the industry, and academia is essential. User vigilance is also crucial to impede malicious behavior attempting to achieve foothold on user-owned DERs. Security standardization and policy-making procedures can strengthen the cybersecurity posture of DERs and prevent vulnerabilities from materializing
into threats. However, if the discussed practices fail to prevent or detect attacks, risk metrics, detailed system modeling, and mitigation plans can orchestrate resources to inhibit or overcome undesirable grid conditions and enhance EPS resilience.

ACKNOWLEDGEMENT
This publication is based upon work supported by King Abdullah University of Science and Technology (KAUST) under Award No. ORFS-CRG11-2022-5021.