The National Renewable Energy Laboratory (NREL) has released version 2.0 of the Cybersecurity Value-at-Risk Framework (CVF), a free, publicly available tool that helps power plant owners and operators assess their cybersecurity risks and make sound cybersecurity investment decisions. Informed by feedback from industry stakeholders, these updates provide users with advanced tools to assess and improve cybersecurity across multiple facilities – and to better visualize their assessments.

An old power source faces new threats

Hydropower is one of the oldest forms of renewable energy in the US. The nation’s first commercial hydropower plant was the Redlands Power Plant, built in California in 1893. Over the past 100-plus years, hydropower has become an integral part of the nation’s renewable energy mix, now accounting for 28.7% of the total U.S. renewable electricity generation.

Today, most power-generation facilities, including hydropower plants, are connected via the internet. While this interconnectedness improves operational efficiency and keeps costs low, it also increases the risk of cyberattacks. In fact, in the last 20 years, over 40 cyberattacks have targeted hydropower facilities.

“Older hydropower facilities were built long before the digital era, so it follows that they were not designed with modern cybersecurity in mind,” explained NREL cybersecurity researcher and network security engineer Anuj Sanghvi. “Now that we’re in the digital era, adversaries that use data as their main source of leverage are thinking, ‘How can we hold energy generation hostage?’”

Agile assessments and enhanced visuals

The CVF offers managers of hydropower facilities a self-guided, automated way to assess their plant’s cybersecurity risks and consider the best upgrade investments. The tool provides risk probabilities and scores, highlighting the financial value of cybersecurity improvements needed to handle future threats. Whereas the original CVF allowed users to assess only one facility per organization, CVF 2.0 allows users to assess multiple facilities in an organization.

“Any given organization has multiple projects and multiple facilities,” Sanghvi said. “With these updates, users can conduct any number of assessments for any number of facilities. This allows users to compare multiple facilities and then make informed decisions at the organizational level.”

In addition, CVF 2.0 features improved dashboards that allow users to better visualize the CVF’s risk assessments, including an output called valuation guidance—a list of prioritized action items and recommendations that shows the potential impacts of cybersecurity risks in order to demonstrate the importance of minimizing those risks. This improved interface provides a clearer picture of potential losses like equipment damage, operational downtime, and safety—all of which can be mitigated by operators through cybersecurity investments.

“Cybersecurity investments can include buying a new gateway device or security application,” Sanghvi explained. “They can also look like hiring new staff dedicated to cybersecurity or training existing staff on the most current cybersecurity technologies.”

Future updates to reflect real-dollar values

Sanghvi and the CVF team are now working on future CVF upgrades that will convert the tool’s value-at-risk score – which measures a facility’s risk level and shows the number and types of resources needed to improve cybersecurity – into monetary values. These values will show how much money a facility could lose if risks go unaddressed, as well as what it might cost a facility to invest in technologies, processes, and employees that will help address the facility’s cybersecurity risks.

“We hope these updates will make the CVF easier to use and also more helpful for users’ day-to-day-decision-making,” said Sanghvi. “Ultimately, we want the CVF to provide users with enough information that they can see cybersecurity not as a burden but as something to improve their operations and make them more resilient.”

The CVF team is also looking to collaborate with the US Department of Energy’s (DOE’s) Wind Energy Technologies Office, Solar Energy Technologies Office, and Office of Cybersecurity, Energy Security, and Emergency Response in an effort to apply the CVF to other renewable technologies.

“Cybersecurity risk valuation is necessary for all critical infrastructure, and energy infrastructure is critical infrastructure,” Sanghvi said. “If we can make this framework more general for a range of energy technologies, even more users will get value out of it. That means more secure energy facilities, which means a more secure national grid.”

The CVF was developed with support from DOE’s Water Power Technologies Office.