Recent reports from multiple news outlets, including Reuters, Fox News, have revealed the presence of undocumented communication devices in Chinese-manufactured solar power inverters, posing a significant cybersecurity risk to the U.S. power grid. These hidden devices could enable remote manipulation, threatening grid stability and highlighting the critical need for stringent NERC CIP compliance.
This is especially worrying with the recent push to increase the number of IBR assets on the grid. To meet standards like CIP-013-2 (Supply Chain Risk Management), utilities must bolster supply chain security, perform thorough equipment inspections, and deploy advanced cybersecurity measures, such as enhanced firewalls and intrusion detection systems. These steps are essential to mitigate vulnerabilities, ensure compliance, and protect the bulk electric system from potential disruptions.
The E-ISAC is currently recommending entities review the DOE Report titled "Battery Energy Storage Systems Report" and take steps to minimize potential supply chain vulnerabilities, particularly when it comes to devices built in China. This event could also affect the NERC Standards CIP-010-4 – Cyber Security – Configuration Change Management and Vulnerability Assessments and CIP-007-6 -Cyber Security – Systems Security Management as it pertains to possible rouge devices in critical assets and mitigation strategies.
Link to the E-ISAC Bulletin (login required)
For questions or to discuss further, reach out to the GDS Energy Reliability & Security Team and let us know how we can help.